Managing Excessive Port Link Flaps
Starting with NetVisor OS 7.1.0 release, NetVisor monitors link flapping on physical ports of a switch and then automatically disables (if configured) the ports that exceed the flap threshold for a defined period of time (window) and later re-enables the port (if configured).
This feature is available on the following platforms:
- NRU02
- NRU03
- NRU-S0301
Note: This feature affects all the physical ports on the switch.
Previously, NetVisor supported automatic error disabling of ports for BPDU guard and MAC-limit violations by using the err-disable-modify command. For details, refer to the Configuring Auto-Recovery of a Disabled Port section in the Configuring Layer 2 Features chapter of the NetVisor OS Configuration Guide. From NetVisor version 7.1.0 onward, the automatic detection of link flap violation feature is also available. You can verify the status by checking the err-disabled status flag.
You can either re-enable the err-disabled port by using the port-config-modify command or can be automatically recovered if the recovery-timer option (for link-flap) is configured in the err-disable-modify command.
Prior to enabling the link-flap error disable condition on a switch, you must configure the link-flap parameters such as the maximum allowed flap count and the action to be taken during link-flap violation on a switch-wide basis (That is, the same configuration applies to all physical ports in a switch).
To configure the link-flap parameters, use the command:
CLI (network-admin@nvos-switch) > linkflap-modify
|
linkflap-modify |
Modifies the link-flap settings on the ports in a switch. |
|
Specify one or more of the following options: |
|
|
linkflap-count 5..100 |
The maximum threshold for link-flaps within a specified time window period. The default link-flap count is 5. |
|
linkflap-action log|err-disable |
The action to be taken when there is a link-flap violation on any physical port. The default action is to generate a log event. |
Note: By default, NetVisor monitors the link-flap count violation every 20 seconds.
Below is a sample configuration:
CLI (network-admin@nvos-switch) > linkflap-modify linkflap-count 10 linkflap-action err-disable
CLI (network-admin@nvos-switch) > linkflap-show
switch: nvos-switch
linkflap-count: 10
linkflap-action: err-disable
With the above configuration, any physical port in the switch that sees 10 or more link-flaps within the preceding 20 second window is automatically disabled and marked with the err-disable status in addition to the generic disable status flags. The port status can be verified using the port-show port <port-num> command.
Further, if you configure auto-recovery using the err-disable-modify command, then the port gets re-enabled after the configured recovery timer expires. However, if the auto-recovery from link-flaps is disabled (default setting), then you should enable the port manually using the port-config-modify port <port-num> enable command. To configure auto-recovery from link-flap error disable condition on a switch, use the command:
CLI (network-admin@nvos-switch) > err-disable-modify
|
err-disable-modify |
Modifies the port recovery settings on the switch. |
|
linkflap|no-linkflap |
Specify one of the options to enable or disable recovery for link-flap errors. |
|
recovery-timer duration: #d#h#m#s |
Specify the global recovery time (in days, hours, minutes, or seconds). The default timer value is 5 minutes. Example: 20s or 1d or 10d20m3h15s |
Note: The recovery-timer option is global to all the features that are enabled using the err-disable-modify command. That is, if you configure recovery-timer option, then the timer is applied for BPDU guard, MAC-limit, and link-flap violation detection.
Below is an example to enable auto-recovery of the port from link-flap err-disable state:
CLI (network-admin@nvos-switch) > err-disable-modify linkflap recovery-timer 5m
To view the error recovery settings, use the command:
CLI (network-admin@nvos-switch) > err-disable-show
switch: nvos-switch
bpduguard: off
macsecurity: off
linkflap: on
recovery-timer: 5m
With the above configuration, any physical port in the switch that gets err-disabled due to link-flap violation is automatically re-enabled after 5 minutes.
NetVisor, by default, generates a system log alert when the link-flap count exceeds on a port. You can view the log alert using the log-system-show command. Below is a sample format of the log alert:
system linkflap_th_exceeded_disable(11554) : event-type=port : <linkflap-count (5)> or more link flaps seen on port=29 in last <linkflap-window (20s)>.
When the port gets disabled, the log alert is in the following format:
system linkflap_th_exceeded_disable(11555) : event-type=port : <linkflap-count (5)> or more link flaps seen on port=29 in last <linkflap-window (20s)>, port is disabled.
Consider an example of two ports 77 and 113 that could experience link-flap violations:
View the port details using the port-show command:
CLI (network-admin@nvos-switch) > port-show port 77,113 layout vertical
switch: nvos-switch
port: 77
bezel-port: 20
ip: 169.x.x.x
mac: aa:bb:cc:dd:ee:ff
status: up,PN-switch,PN-other,STP-BPDUs,LLDP,vlan-up
config: fd,100g
port: 113
bezel-port: 29
ip: 192.x.0x.x
mac: aa:bb:94cc:dd:ee:fa
status: up,PN-switch,PN-other,STP-BPDUs,LLDP,vlan-up
config: fd,100g
When link-flap violation occurs, the ports get err-disabled and also gets re-enabled (if enabled) by this feature. This can be confirmed using the port-show command:
CLI (network-admin@nvos-switch) > port-show port 77,113
port bezel-port status config recover-time
---- ---------- -------------------------- ------- ------------
77 20 disabled,LLDP,err-disabled fd,100g 5m
113 29 disabled,err-disabled 100g 5m
However, if the auto-recovery feature was not enabled (default) for link flaps, the recovery timer does not get started and you have to manually enable the err-disabled ports using the port-config-modify command as below:
CLI (network-admin@nvos-switch) > port-show port 77,113
port bezel-port status config
---- ---------- -------------------------- -------
77 20 disabled,LLDP,err-disabled fd,100g
113 29 disabled,err-disabled 100g
CLI (network-admin@nvos-switch) > port-config-modify port 77,113 enable
SNMP Support
NetVisor provides SNMP trap support for this feature if the switch is configured to enable the link-flap violation detection.
Note: You must enable SNMP service and configure all SNMP parameters such as community strings and trap sink destinations prior to enabling the SNMP trap.
Note: The SNMP trap message is sent only when the excessive link flap action is configured as 'err-disable' (port is err-disabled).
To enable and view the trap details, use the commands:
CLI (network-admin@nvos-switch) > snmp-trap-enable-modify port-linkflap-threshold-exceed-event
CLI (network-admin@nvos-switch) > snmp-trap-enable-show
switch: nvos-switch
link-up-down: no
interface-up-down: no
default-monitors: no
physical-sensors: no
low-disk-space: no
low-disk-space-threshold: %
system-usage: no
high-system-usage-threshold: %
login-failure: no
cluster-tr-diverge: no
lacp-status: no
vport-modified: no
stp-port-modified: no
mirror-to-cpu: no
stp-port-state-failed: no
link-congestion-detected: no
fabric-node-state-changed: no
stp-new-root: no
stp-topology-changed: no
vrrp-new-master: no
disable-start-stop: no
cert-expiry: no
sysup-alert: no
port-oir-error-state: no
port-bw-threshold-exceed-event: no
port-linkflap-threshold-exceed-event: yes