Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide
Implementing Traffic Storm Control under a VPLS Bridge on Cisco ASR 9000 Series Routers
Download this chapter
Implementing Traffic Storm Control under a VPLS Bridge on Cisco ASR 9000 Series RoutersImplementing Traffic Storm Control under a VPLS Bridge on Cisco ASR 9000 Series Routers
Download the complete book
Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide book PDFCisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide book PDF (PDF - 1 MB)
 Feedback

Table Of Contents

Implementing Traffic Storm Control under a VPLS Bridge on Cisco ASR 9000 Series Routers

Contents

Prerequisites for Implementing Traffic Storm Control

Restrictions for Implementing Traffic Storm Control

Information About Implementing Traffic Storm Control

Understanding Traffic Storm Control

Traffic Storm Control Defaults

Supported Traffic Types for Traffic Storm Control

Supported Ports for Traffic Storm Control

Traffic Storm Control Thresholds

Traffic Storm Control Drop Counters

How to Configure Traffic Storm Control

Enabling Traffic Storm Control on an AC under a Bridge

Enabling Traffic Storm Control on a PW under a Bridge

Clearing Traffic Storm Control Drop Counters

Configuration Examples for Traffic Storm Control

Configuring Traffic Storm Control on an AC: Example

Configuring Traffic Storm Control on an Access PW: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Implementing Traffic Storm Control under a VPLS Bridge on Cisco ASR 9000 Series Routers

Traffic storm control provides Layer 2 port security under a Virtual Private LAN Services (VPLS) bridge by preventing excess traffic from disrupting the bridge. This module describes how to implement traffic storm control on Cisco ASR 9000 Series Aggregation Services Routers.

Feature History for Traffic Storm Control on Cisco ASR 9000 Series Routers

Release
Modification

Release 3.7.2

Traffic storm control for attachment circuits (ACs) and access pseudowires (PWs) under a VPLS bridge was introduced on Cisco ASR 9000 Series Routers.

Release 3.9.0

No modification.


Contents

Prerequisites for Implementing Traffic Storm Control

Restrictions for Implementing Traffic Storm Control

Information About Implementing Traffic Storm Control

How to Configure Traffic Storm Control

Configuration Examples for Traffic Storm Control

Additional References

Prerequisites for Implementing Traffic Storm Control

The following prerequisites are required before implementing traffic storm control:

The network must be configured with a VPLS bridge domain in an MPLS Layer 2 VPN.

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Restrictions for Implementing Traffic Storm Control

In Cisco IOS XR Release 3.7 FCI, the following restrictions apply:

Traffic storm control is not supported directly on the bridge domain. The feature must be configured on Ethernet flow points (EFPs) under the bridge domain, using bridge domain submodes. The supported submodes are those used for configuring ACs and access PWs.

Traffic storm control is not supported for aggregated EFPs (bundles).

Traffic storm control is not supported for forwarding pseudowires (VFI PWs).

Immediately after an route switch processor (RSP) failover, traffic storm control drop counters might not be accurate. This loss of counter information after a failover is expected behavior for Cisco IOS XR software counters.

No alarms are generated when packets are dropped.

Information About Implementing Traffic Storm Control

To implement traffic storm control, you should understand the following concepts:

Understanding Traffic Storm Control

Traffic Storm Control Defaults

Supported Traffic Types for Traffic Storm Control

Supported Ports for Traffic Storm Control

Traffic Storm Control Thresholds

Traffic Storm Control Drop Counters

Understanding Traffic Storm Control

A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. You can configure separate threshold levels for different types of traffic on each port under a VPLS bridge.

Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any 1-second interval. The 1-second interval is set in the hardware and is not configurable. The number of packets allowed to pass during the 1-second interval is configurable, per port, per traffic type.

The thresholds are configured using a packet-per-second rate. When the number of packets of the specified traffic type reaches the threshold level on a port, the port drops any additional packets of that traffic type for the remainder of the 1-second interval. At the beginning of a new 1-second interval, traffic of the specified type is allowed to pass on the port.

Traffic storm control has little impact on router performance. Packets passing through ports are counted regardless of whether the feature is enabled. Additional counting occurs only for the drop counters, which monitor dropped packets.

No alarms are produced when packets are dropped.

Traffic Storm Control Defaults

The traffic storm control feature is disabled by default. It must be explicitly enabled on each port for each traffic type.

The traffic storm control monitoring interval is set in the hardware and is not configurable. On the Cisco ASR 9000 Series Routers, the monitoring interval is always 1 second.

Supported Traffic Types for Traffic Storm Control

On each VPLS bridge port, you can configure up to three storm control thresholds—one for each of the supported traffic types. If you do not configure a threshold for a traffic type, then traffic storm control is not enabled on that port or interface for that traffic type.

The supported traffic types are:

Broadcast traffic—Packets with a packet destination MAC address equal to FFFF.FFFF.FFFF.

Multicast traffic—Packets with a packet destination MAC address not equal to the broadcast address, but with the multicast bit set to 1. The multicast bit is bit 0 of the most significant byte of the MAC address.

Unknown unicast traffic—Packets with a packet destination MAC address not yet learned.

Traffic storm control does not apply to bridge protocol data unit (BPDU) packets. All BPDU packets are processed as if traffic storm control is not configured.

Supported Ports for Traffic Storm Control

In Cisco IOS XR Release 3.7 FCI, you can configure traffic storm control on the following components under a VPLS bridge domain:

VPLS bridge domain ACs

VPLS bridge domain access PWs

Traffic Storm Control Thresholds

Traffic storm control thresholds are configured at a packet-per-second rate. A threshold is the number of packets of the specified traffic type that can pass on a port during a 1-second interval. Valid values for traffic storm control thresholds are integers from 1 to 160000. The maximum value would permit about 19 percent of bandwidth to pass per second on a 10-Gbps link, assuming a 1500-byte packet size.

Traffic Storm Control Drop Counters

Traffic storm control counts the number of packets dropped per port and traffic type. The drop counters are cumulative until you explicitly clear them. Use the show l2vpn bridge-domain detail and show l2vpn forwarding detail commands to see drop counts. Use the clear l2vpn forwarding counters command to clear drop counters.

How to Configure Traffic Storm Control

This section describes how to configure traffic storm control:

Enabling Traffic Storm Control on an AC under a Bridge

Enabling Traffic Storm Control on a PW under a Bridge

Clearing Traffic Storm Control Drop Counters

Enabling Traffic Storm Control on an AC under a Bridge

Perform this task to enable traffic storm control on an AC under a VPLS bridge. The following task shows how to enable traffic storm control on an AC that is a VLAN on an Ethernet interface.

Note To disable traffic storm control, navigate to the submode you were in when you enabled the feature, and issue the no form of the command.

SUMMARY STEPS

1. configure

2. l2vpn

3. bridge group bridge-group-name

4. bridge-domain bridge-domain-name

5. interface interface-name

6. storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

7. end
or
commit

8. show l2vpn bridge-domain bd-name bridge-name detail

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

l2vpn

Example:

RP/0/0/CPU0:router(config)# l2vpn

RP/0/0/CPU0:router(config-l2vpn)#

Enters L2 VPN configuration mode.

Step 3 

bridge group bridge-group-name

Example:

RP/0/0/CPU0:router(config-l2vpn)# bridge group csco

RP/0/0/CPU0:router(config-l2vpn-bg)#

Enters L2 VPN bridge group configuration mode.

Step 4 

bridge-domain bridge-domain-name

Example:

RP/0/0/CPU0:router(config-l2vpn-bg)# bridge-domain abc

RP/0/0/CPU0:router(config-l2vpn-bg-bd)#

Enters L2 VPN bridge domain configuration mode.

Step 5 

interface interface-name

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd)# interface GigabitEthernet0/1/0/0.100

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#

Names an AC under the bridge domain. In this case, the AC is a VLAN on an Ethernet interface.

Step 6 

storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)# storm-control broadcast pps 4500

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#

storm-control multicast pps 500

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)#

Enables traffic storm control on this interface for the specified traffic type. Repeat this command for each traffic type.

The packet-threshold is a packet per second rate and must be an integer between 1 and 160000. It specifies the number of packets that will be allowed to pass on the interface for the specified traffic type during a 1-second interval.

Step 7 

end

or

commit

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)# end

or

RP/0/0/CPU0:router(config-l2vpn-bg-bd-ac)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them 
before exiting(yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 8 

show l2vpn bridge-domain bd-name bridge-name detail

Example:

RP/0/0/CPU0:router# show l2vpn bridge-domain bd-name abc detail

Displays storm control configuration.

Enabling Traffic Storm Control on a PW under a Bridge

Perform this task to enable traffic storm control on a pseudowire under a VPLS bridge.

Note To disable traffic storm control, navigate to the submode you were in when you enabled the feature, and issue the no form of the command.

SUMMARY STEPS

1. configure

2. l2vpn

3. bridge group bridge-group-name

4. bridge-domain bridge-domain-name

5. neighbor address pw-id id

6. storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

7. end
or
commit

8. show l2vpn bridge-domain bd-name bridge-name detail

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

l2vpn

Example:

RP/0/0/CPU0:router(config)# l2vpn

RP/0/0/CPU0:router(config-l2vpn)#

Enters L2 VPN configuration mode.

Step 3 

bridge group bridge-group-name

Example:

RP/0/0/CPU0:router(config-l2vpn)# bridge group csco

RP/0/0/CPU0:router(config-l2vpn-bg)#

Enters L2 VPN bridge group configuration mode.

Step 4 

bridge-domain bridge-domain-name

Example:

RP/0/0/CPU0:router(config-l2vpn-bg)# bridge-domain abc

RP/0/0/CPU0:router(config-l2vpn-bg-bd)#

Enters L2 VPN bridge domain configuration mode.

Step 5 

neighbor address pw-id id

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd)# neighbor 1.1.1.1 pw-id 100

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#

Names an access pseudowire under the bridge domain.

Note You cannot apply storm control on a forwarding PW (a PW under a VFI).

Step 6 

storm-control {broadcast | multicast | unknown-unicast} pps packet-threshold

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)# storm-control broadcast pps 4500

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#

storm-control multicast pps 500

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)#

Enables traffic storm control on this pseudowire for the specified traffic type. Repeat this command for each traffic type.

The packet-threshold is a packet per second rate and must be an integer between 1 and 160000. It specifies the number of packets that will be allowed to pass on the interface for the specified traffic type during a 1-second interval.

Step 7 

end

or

commit

Example:

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)# end

or

RP/0/0/CPU0:router(config-l2vpn-bg-bd-pw)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them 
before exiting(yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 8 

show l2vpn bridge-domain bd-name bridge-name detail

Example:

RP/0/0/CPU0:router# show l2vpn bridge-domain bd-name csco detail

Displays storm control configuration settings for the named bridge domain. This command also displays the drop counter values for each configured storm control instance.

Clearing Traffic Storm Control Drop Counters

Perform this task to reset traffic storm control drop counters to zero.

SUMMARY STEPS

1. clear l2vpn forwarding counters

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

clear l2vpn forwarding counters

Example:

RP/0/0/CPU0:router# clear l2vpn forwarding counters

Clears l2vpn forwarding counters, including storm control drop counters.

Configuration Examples for Traffic Storm Control

This section includes the following configuration examples:

Configuring Traffic Storm Control on an AC: Example

Configuring Traffic Storm Control on an Access PW: Example

Configuring Traffic Storm Control on an AC: Example

The following example shows broadcast and multicast storm control configuration on an AC under a VPLS bridge. 

RP/0/RSP0/CPU0:router# show run 

[lines deleted]

bridge group 215

  bridge-domain 215

   mtu 9000

   interface GigabitEthernet0/1/0/3.215

    storm-control multicast pps 500

    storm-control broadcast pps 4500

   !

[lines deleted]

RP/0/RSP0/CPU0:router# show l2vpn bridge-domain bd-name 215 detail 

Bridge group: 215, bridge-domain: 215, id: 3, state: up, ShgId: 0, MSTi: 0

  MAC learning: enabled

  MAC withdraw: disabled

  Flooding:

    Broadcast & Multicast: enabled

    Unknown unicast: enabled

  MAC aging time: 300 s, Type: inactivity

  MAC limit: 4000, Action: none, Notification: syslog

  MAC limit reached: no

  Security: disabled

  Split Horizon Group: none

  DHCPv4 snooping: disabled

  IGMP Snooping profile: none

  Bridge MTU: 9000

  Filter MAC addresses:

  ACs: 2 (2 up), VFIs: 1, PWs: 1 (1 up)

  List of ACs:

    AC: GigabitEthernet0/1/0/3.215, state is up

      Type VLAN; Num Ranges: 1

     vlan ranges: [100, 100]

      MTU 9008; XC ID 0x440005; interworking none; MSTi 0 (unprotected)

      MAC learning: enabled

      Flooding:

        Broadcast & Multicast: enabled

        Unknown unicast: enabled

      MAC aging time: 300 s, Type: inactivity

      MAC limit: 4000, Action: none, Notification: syslog

      MAC limit reached: no

      Security: disabled

      Split Horizon Group: none

      DHCPv4 snooping: disabled

      IGMP Snooping profile: none

      Storm Control:

       Broadcast: enabled(4500)

       Multicast: enabled(500)

       Unknown unicast: disabled

      Static MAC addresses:

      Statistics:

        packet totals: receive 36728, send 31

        byte totals: receive 2791284, send 2318

        Storm control drop counters: 

          packet totals: broadcast 0, multicast 0, unknown unicast 0 

          byte totals: broadcast 0, multicast 0, unknown unicast 0 

[lines deleted]

Configuring Traffic Storm Control on an Access PW: Example

The following example shows broadcast and multicast storm control configuration on an access PW under a VPLS bridge. 

RP/0/RSP0/CPU0:router# show run 

l2vpn

 bridge group bg_storm_pw

  bridge-domain bd_storm_pw

   interface Bundle-Ether101

   !

   neighbor 10.10.30.30 pw-id 1

    storm-control unknown-unicast pps 120

    storm-control multicast pps 110

    storm-control broadcast pps 100

   !

  !

 !

!

RP/0/RSP0/CPU0:router# show l2vpn bridge-domain group bg_storm_pw detail

Bridge group: bg_storm_pw, bridge-domain: bd_storm_pw, id: 2, state: up, ShgId: 0, MSTi: 0

  MAC learning: enabled

  MAC withdraw: disabled

  Flooding:

    Broadcast & Multicast: enabled

    Unknown unicast: enabled

  MAC aging time: 300 s, Type: inactivity

  MAC limit: 4000, Action: none, Notification: syslog

  MAC limit reached: no

  Security: disabled

  Split Horizon Group: none

  DHCPv4 snooping: disabled

  IGMP Snooping profile: none

  Bridge MTU: 1500

  Filter MAC addresses:

  ACs: 1 (1 up), VFIs: 0, PWs: 1 (1 up)

  List of ACs:

    AC: Bundle-Ether101, state is up

      Type Ethernet

      MTU 1500; XC ID 0xfffc0003; interworking none

      MAC learning: enabled

      Flooding:

        Broadcast & Multicast: enabled

        Unknown unicast: enabled

      MAC aging time: 300 s, Type: inactivity

      MAC limit: 4000, Action: none, Notification: syslog

      MAC limit reached: no

      Security: disabled

      Split Horizon Group: none

      DHCPv4 snooping: disabled

      IGMP Snooping profile: none

      Storm Control: disabled

      Static MAC addresses:

      Statistics:

        packets: received 0, sent 5205

        bytes: received 0, sent 645420

      Storm control drop counters: 

        packets: broadcast 0, multicast 0, unknown unicast 0 

        bytes: broadcast 0, multicast 0, unknown unicast 0 

  List of Access PWs:

    PW: neighbor 10.10.30.30, PW ID 1, state is up ( established )

      PW class not set, XC ID 0xfffc0006

      Encapsulation MPLS, protocol LDP

      PW type Ethernet, control word disabled, interworking none

      PW backup disable delay 0 sec

      Sequencing not set

    PW Status TLV in use

        MPLS         Local                          Remote                        

        ------------ ------------------------------ ---------------------------

        Label        16001                          16001                         

        Group ID     0x2                            0x2                           

        Interface    Access PW                      Access PW                     

        MTU          1500                           1500                          

        Control word disabled                       disabled                      

        PW type      Ethernet                       Ethernet                      

        VCCV CV type 0x2                            0x2                           

                     (LSP ping verification)        (LSP ping verification)       

        VCCV CC type 0x6                            0x6                           

                     (router alert label)           (router alert label)          

                     (TTL expiry)                   (TTL expiry)                  

        ------------ ------------------------------ ---------------------------

      Incoming Status (PW Status TLV):

        Status code: 0x0 (Up) in Notification message

      Outgoing Status (PW Status TLV):

        Status code: 0x0 (Up) in Notification message

      Create time: 16/12/2008 00:06:08 (01:00:22 ago)

      Last time status changed: 16/12/2008 00:35:02 (00:31:28 ago)

        MAC withdraw message: send 0 receive 0

      Static MAC addresses:

      Statistics:

        packets: received 0, sent 0

        bytes: received 0, sent 0

      Storm control drop counters: 

        packets: broadcast 0, multicast 0, unknown unicast 0 

        bytes: broadcast 0, multicast 0, unknown unicast 0 

      MAC learning: enabled

      Flooding:

        Broadcast & Multicast: enabled

        Unknown unicast: enabled

      MAC aging time: 300 s, Type: inactivity

      MAC limit: 4000, Action: none, Notification: syslog

      MAC limit reached: no

      Security: disabled

      Split Horizon Group: none

      DHCPv4 snooping: disabled

      IGMP Snooping profile: none

      Storm Control:

       Broadcast: enabled(100)

       Multicast: enabled(110)

       Unknown unicast: enabled(120)

Additional References

For additional information related to implementing traffic storm control, refer to the following references.

Related Documents

Related Topic
Document Title

MPLS Layer 2 VPNs

Implementing MPLS Layer 2 VPNs on Cisco ASR 9000 Series Routers module in the Cisco ASR 9000 Aggregation Services Router MPLS Configuration Guide

MPLS VPLS bridges

Implementing Virtual Private LAN Services on Cisco ASR 9000 Series Routers module in the Cisco ASR 9000 Aggregation Services Router MPLS Configuration Guide

Getting started material

Cisco ASR 9000 Aggregation Services Router Getting Started Guide


Standards

Standards1
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

1 Not all supported standards are listed.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported, and support for existing RFCs has not been modified.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport