Extreme Networks

Thomas_Randolph · ‎04-27-2016

We have had a few times where a user has plugged a loop in to the network via and unmanaged switch. This has caused the traffic to bleed in the WAN vlan affecting multiple sites. We have STP enabled, but it is not always effective. I just discovered the DOS-CONTROL in the B5 series switch setting that allows for traffic to get dropped matching the rules that are enabled. I was looking for some experience on which to enable. Some of these seem like they could block legit traffic like TCP source ports matches TCP destination port. Any help is appreciated.

Mike_D · ‎04-27-2016

Hello Thomas,
I think this dos protect is strictly switch host oriented. It looks like the perfect tool - but this host dos mitigation wont protect against the condition described - where a user with an unmanaged switch wraps or loops or reflects traffic back into the network..

Regards,
Mike

Erik_Auerswald · ‎04-27-2016

Hi Thomas,

a nice fail-safe mechanism mitigating the effects of layer 2 loops is rate limiting for flooded traffic.

Simple one-shot command:
set port broadcast *.*.* 1000You may want to adjust the numerical value, especially regarding WAN capacity.

To rate-limit multicast and unknown unicast as well you can use:
set cos port-resource flood-ctrl 0.0 broadcast rate 1000
set cos port-resource flood-ctrl 0.0 multicast rate 1000
set cos port-resource flood-ctrl 0.0 unicast rate 1000
set cos state enableIf you are using multicast applications, you might not want to limit multicast traffic (too much).

Erik

Extreme Networks

Denial of Service Control Protection options

Denial of Service Control Protection options