[f-nsp] MLX broadcast storm protection
Jan Pedersen
Jan.Pedersen at GlobalConnect.dk
Tue Apr 5 13:56:03 EDT 2011
Vlan-cpu-protection on the vlan will secure that broadcast and multicast packets are forwarded in hardware, and won't hit the cpu, and it will also keep most of the unknown-unicast traffic as hardware flooding. This is of course only to protect the cpu.
In order to limit the amount of broadcast and multicast traffic we use these L2 ACLs
access-list 400 permit any ffff.ffff.ffff ffff.ffff.ffff any etype any
access-list 401 permit any 0100.5e00.0000 ffff.ff00.0000 any etype any
interface ethernet X/Y
rate-limit input access-group 400 10253296 10256640
rate-limit input access-group 401 10253296 10256640
Best regards
Jan Pedersen
Senior Network Specialist
D: +45 7730 2932
M: +45 2550 7321
From: foundry-nsp-bounces at puck.nether.net [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Mark Johnson
Sent: 5. april 2011 18:48
To: foundry-nsp at puck.nether.net
Subject: [f-nsp] MLX broadcast storm protection
Anyone out there know of a good way to protect against customer broadcast storms? We use a few MLX switches with customer ports on them. Occasionally, a customer will create a loop in their equipment which causes a storm all the way back to our MLXs. The line cards are pretty good at handling (CPU goes to 30-40%) but would like to know of a good way to protect our MLX.
Also, any have best security practices they apply on customer ports to help keep the core switching stable?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110405/09c9d565/attachment.html>
More information about the foundry-nsp
mailing list