Allied Telesis Layer 3 Switches manual Bandwidth limiting

Page 4

Protecting the network

Service providers need to prevent storms from disrupting services to customers. AlliedWare offers the following options for mitigating storms:

zlimiting broadcasts and multicasts on a port (“Bandwidth limiting” on page 4)

zdetecting a storm and disabling that port or VLAN (“Using QoS policy-based storm protection” on page 5)

Bandwidth limiting

ARP packets are the most frequent trigger for broadcast storms. One ARP packet is flooded around and around a network, crowding out all other traffic.

You can use a simple Quality of Service (QoS) configuration to match ARP packets and make sure that when a broadcast storm occurs, the effect is minimised.

Products

All switches listed on page 2

Software Versions

All

 

 

 

ISP switch

When ISP switch has

misconfigured

flood of ARPs

port

no bandwidth control:

customer switch

48

 

 

 

 

 

 

ISP switch

When ISP switch has

misconfigured

flood of ARPs

port

bandwidth limiting:

customer switch

48

 

 

 

 

 

 

secure-switch-bandwidth.eps

Configuration To limit the bandwidth for ARPs:

1.Create a classifier to match ARP packets.

2.Create a QoS framework of policy, traffic class, and flow group. In the traffic class settings, specify the maximum bandwidth for ARP traffic.

3.Apply the policy—and therefore the bandwidth limit—to one or more ports.

Example The following configuration limits ARP packets to 100kbps on port 48.

create classifier=1 protocol=0806 ethformat=ethii-untagged create qos policy=1

create qos trafficclass=1 maxbandwidth=100 create qos flowgroup=1

add qos policy=1 trafficclass=1 add qos trafficclass=1 flowgroup=1 add qos flowgroup=1 classifier=1 set qos port=48 policy=1

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

4

Image 4
Contents Contents IntroductionEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a