Storm Control on S5700LI, UNK. UNICAST

Created Dec 24, 2015 17:49:22Latest reply Jan 04, 2016 21:16:41 2666 7 0 0

Hi everyone

I hope you are all doing well.
I tried to implement storm-control on my S5700LI Switch. Broadcast and multicast do work, but Unicast gives me a headache...is it possible that Unicast in the LI-series refers to ALL UNICAST traffic and not only UNKNOWN UNICAST?

As soon as I start a large filetransfer it blocks my port.

Maybe the LI switches are different?

  • x
  • convention:

lizhuzhu     Created Dec 25, 2015 11:47:54 Helpful(0) Helpful(0)

storm-control unicast only for UNKNOWN UNICAST.

  • x
  • convention:

edv_tj     Created Dec 29, 2015 21:26:18 Helpful(0) Helpful(0)

Hi lizhuzhu

I tested it with my S5700-10P-LI-AC, only the switch, L2, no router or something else inbetween.

I set storm-control unicast min-rate 500 max-rate 1500 on the switch ports between a client and a server, both running windows.

And it seems the unicast setting has an effect on KNOWN unicast packets, because after 1-2sec the filetransfer (via SMB) stops and the ports get blocked by storm-control!

Strange. And I see no splatter on the other ports in the same VLAN which should happen if it was unkown unicast...

  • x
  • convention:

edv_tj     Created Dec 29, 2015 22:26:30 Helpful(0) Helpful(0)

OK, so now I tested s5700-10p-li-v200r008c00spc500

INT Client GE0/0/1 and Server GE0/0/2 look like this (both are in VLAN1):

interface GigabitEthernet0/0/1
port link-type access
stp edged-port enable
port link-flap protection enable
storm-control unicast min-rate 500 max-rate 1500
storm-control action error-down
storm-control enable log

As soon as I start a file copy (ISO-file) storm-control kicks in and kills both ports, it logs everything.

I have connected WIRESHARK to GE0/0/7 to a passive NIC, just to see what happens. I see some (only 4-5) SMB-Packets that get splattered on GE0/0/7, they should not be there. Seems to happen shortly AFTER storm-control kicks in. But as I said: 4-5 packets, nothing big.

I am really wondering...the nics btw. are Intel Pro 1000 CT, so not the worst NICs I think...

  • x
  • convention:

who_knows  Mentor   Created Dec 30, 2015 10:05:34 Helpful(0) Helpful(0)

When you transfer file, use display mac-address to check whether device learns the mac-address. BTW, storm-control takes effect in inbound direction.
  • x
  • convention:

edv_tj     Created Dec 30, 2015 19:25:39 Helpful(0) Helpful(0)

I will check everything again and tell you how it went :)
  • x
  • convention:

edv_tj     Created Jan 04, 2016 16:10:59 Helpful(0) Helpful(0)

OK, here it is. Everything seems ok...but it does not work. Behaves like it blocks UNICAST in general.

<SWITCH>system
Enter system view, return user view with Ctrl+Z.
[SWITCH]display mac-address
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI                          Learned-From        Type
-------------------------------------------------------------------------------
0015-1736-4074 1/-                               GE0/0/1             dynamic
001b-214d-d69c 1/-                               GE0/0/2             dynamic
04bd-70c4-0a2b 99/-                              GE0/0/9             dynamic

-------------------------------------------------------------------------------
Total items displayed = 3

[SWITCH]display arp
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE
                                          VLAN
------------------------------------------------------------------------------
169.254.1.10    04bd-70c4-09f0            I -  Vlanif1
169.254.163.220 0015-1736-4074  9         D-0  GE0/0/1
                                          1
169.254.50.246  001b-214d-d69c  9         D-0  GE0/0/2
                                          1
------------------------------------------------------------------------------
Total:3         Dynamic:2       Static:0     Interface:1
[SWITCH]
Oct 18 2008 23:13:46+01:00 SWITCH %%01ERRDOWN/4/ERRDOWN_DOWNNOTIFY(l)[0]:Notify interface to change status to error-down. (InterfaceName=GigabitEthernet0/0/2, Cause=storm-control)
[SWITCH]
Oct 18 2008 23:13:46+01:00 SWITCH %%01SECE/4/STORMCTRL_IF_ERROR_DOWN(l)[1]:Interface GigabitEthernet0/0/2 is error-down for storm-control.
[SWITCH]
Oct 18 2008 23:13:46+01:00 SWITCH %%01IFPDT/4/IF_STATE(l)[2]:Interface GigabitEthernet0/0/2 has turned into DOWN state.
[SWITCH]
Oct 18 2008 23:13:46+01:00 SWITCH ERRDOWN/4/ErrordownOccur:OID 1.3.6.1.4.1.2011.5.25.257.2.1 Error-down occured. (Ifindex=6, Ifname=GigabitEthernet0/0/2, Cause=storm-control)
[SWITCH]
Oct 18 2008 23:13:49+01:00 SWITCH %%01ERRDOWN/4/ERRDOWN_DOWNNOTIFY(l)[3]:Notify interface to change status to error-down. (InterfaceName=GigabitEthernet0/0/1, Cause=storm-control)
[SWITCH]
Oct 18 2008 23:13:49+01:00 SWITCH %%01SECE/4/STORMCTRL_IF_ERROR_DOWN(l)[4]:Interface GigabitEthernet0/0/1 is error-down for storm-control.
[SWITCH]
Oct 18 2008 23:13:49+01:00 SWITCH %%01IFPDT/4/IF_STATE(l)[5]:Interface GigabitEthernet0/0/1 has turned into DOWN state.
[SWITCH]
Oct 18 2008 23:13:49+01:00 SWITCH ERRDOWN/4/ErrordownOccur:OID 1.3.6.1.4.1.2011.5.25.257.2.1 Error-down occured. (Ifindex=5, Ifname=GigabitEthernet0/0/1, Cause=storm-control)
[SWITCH]

[SWITCH-GigabitEthernet0/0/1]display this include-default
#
interface GigabitEthernet0/0/1
negotiation auto
auto speed 10 100 1000
auto duplex half full
undo energy-efficient-ethernet enable
mdi auto
undo flow-control negotiation
undo flow-control
undo port-auto-sleep enable
undo loopback
description Kassen-PC
undo shutdown
enable snmp trap updown
undo set flow-stat interval
undo arp detect-mode unicast
arp-fake expire-time 3
port link-type access
undo port vlan-mapping ingress
undo vcmp disable
undo mac-address learning disable
port priority 0
port default vlan 1
qinq protocol 8100
undo port negotiation disable
undo loopback-detect enable
stp enable
undo stp config-digest-snoop
undo stp no-agreement-check
undo stp root-protection
undo stp loop-protection
stp edged-port enable
stp point-to-point auto
stp compliance auto
stp instance 0 port priority 128
undo mac-vlan enable
undo ip-subnet-vlan enable
undo arp validate source-mac destination-mac
undo rmon-statistics
undo smart-link flush receive
stp vlan 1 to 4094 port priority 128
undo mac-forced-forwarding network-port
ntdp enable
ndp enable
bpdu enable
undo portal local-server anonymous
undo portal local-server enable
undo dot1x mac-bypass mac-auth-first
undo dot1x enable
dot1x max-user 1024
dot1x port-control auto
dot1x port-method mac
undo dot1x unicast-trigger
undo dot1x reauthenticate
undo authentication critical eapol-success
authentication max-reauth-req 20
undo mac-authen
mac-authen max-user 1024
mac-authen reauthenticate
undo authentication open
lldp enable
lldp dot3-tlv power 802.1ab
lldp tlv-enable basic-tlv all
lldp tlv-enable dot1-tlv protocol-vlan-id
lldp tlv-enable dot1-tlv port-vlan-id
lldp tlv-enable dot1-tlv vlan-name
undo lldp tlv-enable dot1-tlv protocol-identity
lldp tlv-enable med-tlv network-policy voice-vlan 8021p cos 5 dscp 46
undo lldp tlv-enable med-tlv location-id
lldp tlv-enable med-tlv all
lldp tlv-enable dot3-tlv all
undo lldp compliance cdp txrx
undo lldp compliance cdp receive
sflow counter-sampling interval 10
sflow flow-sampling inbound
sflow flow-sampling outbound
sflow flow-sampling rate 2048
sflow flow-sampling max-header 128
undo port-security enable
undo port bridge enable
undo port-isolate enable
undo ip error-packet-check disable
undo port discard tagged-packet
mac-address flapping action priority 127
undo mac-address flapping action error-down
undo mac-address flapping action quit-vlan
undo mac-address trap notification
jumboframe enable 9216
set flow-statistics include-interframe
trap-threshold input-rate 80 resume-rate 80
trap-threshold output-rate 80 resume-rate 80
log-threshold input-rate 80 resume-rate 80
log-threshold output-rate 80 resume-rate 80
trap-threshold error-statistics 3 interval 10
undo error-statistics threshold-event trigger error-down
undo log-threshold input-discard
undo log-threshold output-discard
carrier up-hold-time 2000
carrier down-hold-time 0
port link-flap protection enable
port link-flap interval 10
port link-flap threshold 5
undo arp anti-attack rate-limit enable
undo arp anti-attack check user-bind enable
undo ip source check user-bind enable
undo user-bind ip sticky-mac
storm-control unicast min-rate 500 max-rate 1500
storm-control interval 5
storm-control action error-down
storm-control enable log
undo broadcast-suppression block outbound
undo multicast-suppression block outbound
undo unicast-suppression block outbound
#

I really don't know what goes wrong here...

  • x
  • convention:

edv_tj     Created Jan 04, 2016 21:16:41 Helpful(0) Helpful(0)

I can answer this question now. Read side 226 from the S-Series Configuration Guide - Security for V200R007

Step 3 Run:
storm-control { broadcast | multicast | unicast } min-rate min-rate-value max-rate
max-rate-value
or
storm-control { broadcast | multicast | unicast } min-rate cir min-rate-value-cir
max-rate cir max-rate-value-cir
or
storm-control { broadcast | multicast | unicast } min-rate percent min-rate-valuepercent
max-rate percent max-rate-value-percent
Storm control is performed on broadcast packets, multicast packets, or unknown unicast packets
on the interface.

NOTE
After the
storm-control unicast min-rate min-rate-value max-rate max-rate-value,
storm-control unicast min-rate cir min-rate-value-cir max-rate cir max-rate-value-cir
or storm-control unicast min-rate percent min-rate-value-percent max-rate percent max-rate-value-percent command is executed,
the device suppresses both unknown and known unicast packets.

Somehow, this is very unclear...

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top