Header Only - DO NOT REMOVE - Extreme Networks

Denial of Service Control Protection options


We have had a few times where a user has plugged a loop in to the network via and unmanaged switch. This has caused the traffic to bleed in the WAN vlan affecting multiple sites. We have STP enabled, but it is not always effective. I just discovered the DOS-CONTROL in the B5 series switch setting that allows for traffic to get dropped matching the rules that are enabled. I was looking for some experience on which to enable. Some of these seem like they could block legit traffic like TCP source ports matches TCP destination port. Any help is appreciated.

2 replies

Userlevel 7
Hi Thomas,

a nice fail-safe mechanism mitigating the effects of layer 2 loops is rate limiting for flooded traffic.

Simple one-shot command:
set port broadcast *.*.* 1000[/code]You may want to adjust the numerical value, especially regarding WAN capacity.

To rate-limit multicast and unknown unicast as well you can use:
set cos port-resource flood-ctrl 0.0 broadcast rate 1000
set cos port-resource flood-ctrl 0.0 multicast rate 1000
set cos port-resource flood-ctrl 0.0 unicast rate 1000
set cos state enable[/code]If you are using multicast applications, you might not want to limit multicast traffic (too much).

Erik
Userlevel 5
Hello Thomas,
I think this dos protect is strictly switch host oriented. It looks like the perfect tool - but this host dos mitigation wont protect against the condition described - where a user with an unmanaged switch wraps or loops or reflects traffic back into the network..

Regards,
Mike

Reply