Allied Telesis Layer 3 Switches manual Protecting against rapid MAC movement

Page 6

Protecting the network

Example The following example applies storm protection to classified broadcast traffic on port 1. If there is a storm, it takes the link down for 60 seconds.

set switch enhancedmode=qoscounters

Reboot after turning on enhanced mode.

create classifier=1 macdaddr=ff-ff-ff-ff-ff-ff

create qos trafficclass=1 stormstatus=enable stormwindow=100 stormrate=100 stormaction=linkdown stormtimeout=60

The rest of the QoS configuration is as normal, so:

create qos flowgroup=1

add qos flowgroup=1 classifier=1 add qos trafficclass=1 flowgroup=1 create qos policy=1

add qos policy=1 trafficclass=1 set qos port=1 policy=1

You can view matching traffic at the port level with the command:

show qos port=1 count trafficclass

Protecting against rapid MAC movement

Rapid MAC movement protection detects excessive MAC address learning on a specific switch port. Once excessive learning is detected, the switch stops learning MAC addresses via the affected port.

Rapid MAC movement mostly occurs because of a broadcast storm, when one packet is storming around a layer 2 network. Rapid MAC movement protection is simpler to configure than QoS policy-based storm protection but is not guaranteed to stop all the varieties of broadcast storm.

Products

AT-8948

x900-48 Series

AT-9900 Series

AT-9924Ts x900-24 Series

Software Versions

2.8.1 and later

Configuration on one or more ports

Rapid MAC movement protection is on by default. The default action is to disable learning for 1 second. This gives the CPU of the switch some idle time, which may let a fast STP-type protocol converge. You can change the amount of idle time to suit your network, or select a different action.

To customise the protection:

1.Set the parameters in the following command:

set switch port=<ports> thrashaction={learndisablelinkdownnone portdisablevlandisable} thrashtimeout={none1..86400} vlanstatustrap={onoff}

The parameter thrashaction specifies the switch’s response to rapid MAC movement:

zlearndisable makes the switch temporarily disable learning on the port.

zlinkdown makes the switch physically disable the port, so that the link goes down.

zportdisable makes the switch logically disable the port, leaving the link up.

zvlandisable makes the switch block traffic on only the VLAN on which the rapid learning occurred.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

6

Page 5 Page 7
Image 6
Page 5 Page 7
Contents Contents IntroductionEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionConfiguration on one or more ports Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Access Using IPsec to make VPNsSwitches EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a
Top Page Image Contents