Support User Manuals

Allied Telesis Layer 3 Switches Switch User Manual

Open as PDF

of 31

Protecting the network

Create A Secure Network With Allied Telesis Managed Layer 3 Switches 6

Example

The following example applies storm protection to classified broadcast traffic on port

1

. If

there is a storm, it takes the link down for 60 seconds.

set switch enhancedmode=qoscounters

Reboot after turning on enhanced mode.

create classifier=1 macdaddr=ff-ff-ff-ff-ff-ff

create qos trafficclass=1 stormstatus=enable stormwindow=100

stormrate=100 stormaction=linkdown stormtimeout=60

The rest of the QoS configuration is as normal, so:

create qos flowgroup=1

add qos flowgroup=1 classifier=1

add qos trafficclass=1 flowgroup=1

create qos policy=1

add qos policy=1 trafficclass=1

set qos port=1 policy=1

You can view matching traffic at the port level with the command:

show qos port=1 count trafficclass

Protecting against rapid MAC movement

Rapid MAC movement protection detects excessive MAC

address learning on a specific switch port. Once excessive

learning is detected, the switch stops learning MAC

addresses via the affected port.

Rapid MAC movement mostly occurs because of a

broadcast storm, when one packet is storming around a

layer 2 network. Rapid MAC movement protection is

simpler to configure than QoS policy-based storm

protection but is not guaranteed to stop all the varieties of

broadcast storm.

Rapid MAC movement protection is on by default. The default action is to disable learning for

1

second. This gives the CPU of the switch some idle time, which may let a fast STP-type

protocol converge. You can change the amount of idle time to suit your network, or select a

different action.

Configuration

on one or

more ports

To customise the protection:

1. Set the parameters in the following command:

set switch port=<ports> thrashaction={learndisable|linkdown|none|

portdisable|vlandisable} thrashtimeout={none|1..86400}

vlanstatustrap={on|off}

The parameter thrashaction specifies the switch’s response to rapid MAC movement:

z learndisable makes the switch temporarily disable learning on the port.

z linkdown makes the switch physically disable the port, so that the link goes down.

z portdisable makes the switch logically disable the port, leaving the link up.

z vlandisable makes the switch block traffic on only the VLAN on which the rapid

learning occurred.

Products

AT-8948

x900-48 Series

AT-9900 Series

AT-9924Ts

x900-24 Series

Software Versions

2.8.

1

and later

previous next