Extreme Networks

Article ID: 6816

Products
Matrix N-Series DFE

Changes
Network virus or DOS Attack

Symptoms
Too many flows/connections being rapidly created
Flow Limiting - also known as Flow Setup Throttling (FST) - is not working
Too many flows on the network

Solution
Flow Limiting (5289) should ideally be used on user edge ports only, as this is where the issue tends to originate. Creating too many flow monitors at the core of a network, and dropping flows or disabling ports in the core, is not an optimal design. Certainly, actions taken on InterSwitch Link (ISL) ports can be painful to recover. Well-implemented networks will start by looking at normal flow levels in order to determine the most useful limits.

1. Apply a reasonable limiter to individual ports.
   set flowlimit limit1 100 userport (trigger the low-level action at 100 aggregate flows on the port)
   set flowlimit limit2 200 userport (trigger the high-level action at 200 aggregate flows on the port) Apply the actions to these two defined levels.
   set flowlimit action1 notify userport ([default] send a trap when limit1 is reached)
   set flowlimit action2 drop userport (drop new flows/connections when limit2 is reached) Define which ports will be utilized in flow limiting. Be mindful not to enable this on ISL ports.
   set flowlimit port class userport <port_string> Globally enable Flow Limiting.
   set flowlimit enable Verify the configuration, and/or baseline the flow limits.
   show flowlimit
   show flowlimit port
   show flowlimit class userport
   show flowlimit stats
   
   According to the baselined results of these queries (especially the 'show flowlimit stats') over time, the user should adjust limit2 to be perhaps 50-100% higher than the highest count seen, and then adjust limit1 to be just above the highest count seen. The idea is to only involve management when an event worthy of examination has occurred. These numbers will vary according to how the port is used, which is why it is possible to utilize different traffic classes (userport, serverport, aggregateduser, interswitchlink) for this purpose. If a 'show flowlimit port' indicates that a triggered flow limit has disabled ports (this might only happen if the desired action is disable), then once the attack or issue is corrected the port may be re-enabled:
   set flowlimit port status operational A flow is defined as a unique source and destination IP address (L3), and possibly a unique UDP,TCP pair (L4). By default, flows are created up to L3. If within Flow Limiting you would like the granularity of defining flows up to L4 and a 'show flowlimit port' indicates L3 flows, then it is necessary to enable that awareness by configuring at least one feature which examines L4 data. The use of NetFlow, LSNAT, NAT, L4 ACLs, and/or L4 Policies would do this.
   
   In the absence of a legitimate configuration for this purpose, the user may for example configure a dummy L4 classification which is neither statically nor dynamically applied to traffic:
   set policy profile 86 name dummy-L4
   set policy rule 86 udpdestportip 65535 mask 16 forward
   For further background, please refer to the Configuration Guide for your product.
   Also see this HowTo Video demonstrating the flowlimit command set using S-Series firmware 8.01.01.0016.
   See also: 5116.