Denial of Service Control Protection options

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

We have had a few times where a user has plugged a loop in to the network via and unmanaged switch. This has caused the traffic to bleed in the WAN vlan affecting multiple sites. We have STP enabled, but it is not always effective. I just discovered the DOS-CONTROL in the B5 series switch setting that allows for traffic to get dropped matching the rules that are enabled. I was looking for some experience on which to enable. Some of these seem like they could block legit traffic like TCP source ports matches TCP destination port. Any help is appreciated.

Photo of Thomas Randolph

Thomas Randolph

  • 440 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Hi Thomas,

a nice fail-safe mechanism mitigating the effects of layer 2 loops is rate limiting for flooded traffic.

Simple one-shot command:
set port broadcast *.*.* 1000
You may want to adjust the numerical value, especially regarding WAN capacity.

To rate-limit multicast and unknown unicast as well you can use:
set cos port-resource flood-ctrl 0.0 broadcast rate 1000
set cos port-resource flood-ctrl 0.0 multicast rate 1000
set cos port-resource flood-ctrl 0.0 unicast rate 1000
set cos state enable
If you are using multicast applications, you might not want to limit multicast traffic (too much).

Erik
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Hello Thomas,
I think this dos protect is strictly switch host oriented.  It looks like the perfect tool - but this host dos mitigation wont protect against the condition described - where a user with an unmanaged switch wraps or loops or reflects traffic back into the network.. 

Regards,
Mike