04-06-2012 01:37 PM
I know with Storm Control and the MAS product line we can control the percentage of bandwidth used by broadcast and multicast. However, is there a way to see if this policy is enforced? K-12 uses a similar function called loop detection that will disable the port and then identify what port is disabled. Thoughts?
04-06-2012 04:23 PM
MAS supports multiple function at interface level to prevent unwanted L2 traffic attack the network.
1.> Storm Control –
Storm control prevents interfaces from disruptions by providing protection against excessive ingress rates of unknown-unicast, multicast, and broadcast traffic. The function can be set under switch-profile. See an example below .. The settings are to allow only 50% of interface speed to be used for unknown unicast, broadcast and multicast traffic.
(host) (config) #interface-profile switching-profile STORM_CONTROL
(host) (switching profile "STORM_CONTROL") #storm-control-bandwidth 50
(host) (switching profile "STORM_CONTROL") #storm-control-unknown-unicast
(host) (switching profile "STORM_CONTROL") #storm-control-multicast
(host) (switching profile "STORM_CONTROL") #storm-control-broadcast
(host) (config) #interface gigabitethernet 0/0/20
(host) (gigabitethernet "0/0/20") #switching-profile STORM_CONTROL
2.> Port Security –
ArubaOS 18.104.22.168 release of Mobility Access Switch supports Port Security functionality which provides network security at each physical interface. You can now restrict the number of MACs allowed on the interface, and detect the unwanted loops in the network. You can enable or disable this functionality at an interface level. You can recover the port automatically by enabling the auto-recovery option.You can also manually recover the port using the clear command. Below is the details about Loop protect.
The Loop Protect functionality detects the unwanted physical loops in your network. You can enable or disable this functionality at an interface level. A proprietary protocol data unit (PDU) is used to detect the physical loops in the network. When the system detects a loop, it disables the port that sends the PDU.
Points to Remember
It is recommended that you enable Loop Protect on all the Layer 2 interfaces when the spanning tree is disabled on the switch.
The Loop Protect will not detect any loops when MSTP or PVST (on any VLAN) is enabled on the switch.
The Loop Protect functionality will work only on non-HSL interfaces. An error will be displayed when you try to enable this functionality on HSL interfaces.
Enabling Loop Protect Functionality
Port Loop Protect functionality is configured as part of the port level security configuration. You can attach the port-security profile to any Layer 2 interface. Loop protect include 2 function.
#1 – Loop protect …
Once a loop is detected; then what we do. As the previous paragraph has said, it will disable the port. The comment here is
(host) (Port security profile "TEST") #loop-protect <cr>
#2 – Recover …
Automatically enable the port back after a time period. Set a value for auto-recovery-time to enable the auto-recovery option.
The port will then be automatically recovered from the error after the specified time. If you set the auto-recovery-time value to 0, it disables the auto-recovery option. By default, auto-recovery is disabled. The command here is
(host) (Port security profile "TEST") #loop-protect auto-recovery-time
Time to recover port loop error in seconds.
Default: 0 (No Auto Recovery)
Allowed range: [0-65535]
You can also disable the auto-recovery option using the following command:
(host) (Port security profile "<profile-name>") #no loop-protect auto-recovery-time
To disable the Loop Protect functionality:
(host) (Port security profile "<profile-name>") #no loop-protect