https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60373#M1987 Hi Thomas,<BR /> <BR /> a nice fail-safe mechanism mitigating the effects of layer 2 loops is rate limiting for flooded traffic.<BR /> <BR /> Simple one-shot command:<BR /> set port broadcast *.*.* 1000You may want to adjust the numerical value, especially regarding WAN capacity.<BR /> <BR /> To rate-limit multicast and unknown unicast as well you can use:<BR /> set cos port-resource flood-ctrl 0.0 broadcast rate 1000<BR /> set cos port-resource flood-ctrl 0.0 multicast rate 1000<BR /> set cos port-resource flood-ctrl 0.0 unicast rate 1000<BR /> set cos state enableIf you are using multicast applications, you might not want to limit multicast traffic (too much).<BR /> <BR /> Erik<BR /> Wed, 27 Apr 2016 21:39:00 GMT Erik_Auerswald 2016-04-27T21:39:00Z https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60372#M1986 We have had a few times where a user has plugged a loop in to the network via and unmanaged switch. This has caused the traffic to bleed in the WAN vlan affecting multiple sites. We have STP enabled, but it is not always effective. I just discovered the DOS-CONTROL in the B5 series switch setting that allows for traffic to get dropped matching the rules that are enabled. I was looking for some experience on which to enable. Some of these seem like they could block legit traffic like TCP source ports matches TCP destination port. Any help is appreciated.<BR /> <BR /> Wed, 27 Apr 2016 19:05:00 GMT https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60372#M1986 Thomas_Randolph 2016-04-27T19:05:00Z https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60373#M1987 Hi Thomas,<BR /> <BR /> a nice fail-safe mechanism mitigating the effects of layer 2 loops is rate limiting for flooded traffic.<BR /> <BR /> Simple one-shot command:<BR /> set port broadcast *.*.* 1000You may want to adjust the numerical value, especially regarding WAN capacity.<BR /> <BR /> To rate-limit multicast and unknown unicast as well you can use:<BR /> set cos port-resource flood-ctrl 0.0 broadcast rate 1000<BR /> set cos port-resource flood-ctrl 0.0 multicast rate 1000<BR /> set cos port-resource flood-ctrl 0.0 unicast rate 1000<BR /> set cos state enableIf you are using multicast applications, you might not want to limit multicast traffic (too much).<BR /> <BR /> Erik<BR /> Wed, 27 Apr 2016 21:39:00 GMT https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60373#M1987 Erik_Auerswald 2016-04-27T21:39:00Z https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60374#M1988 <BR /> <BR /> Hello Thomas,<BR /> I think this dos protect is strictly switch host oriented. It looks like the perfect tool - but this host dos mitigation wont protect against the condition described - where a user with an unmanaged switch wraps or loops or reflects traffic back into the network.. <BR /> <BR /> Regards,<BR /> Mike<BR /> <BR /> Wed, 27 Apr 2016 22:11:00 GMT https://community.extremenetworks.com/t5/extremeswitching-eos/denial-of-service-control-protection-options/m-p/60374#M1988 Mike_D 2016-04-27T22:11:00Z