Well, I’m using 48 port or more switches attached to each other, so I need something to limit it.
The switches typically limit ingress per port, so a low limiter should only affect the devices behind that port if one of the devices storm out. I do have DHCP snooping, but that doesn’t necessarily block other types of bad traffic like that. One thing I have to be careful of is to not broadly limit the uplink ports as well. From: Af <af-boun...@afmug.com> On Behalf Of Adam Moffett Sent: Tuesday, April 17, 2018 6:29 AM To: af@afmug.com Subject: Re: [AFMUG] Switch Storm Control Exactly what I was thinking. Is it a global setting for the switch or an ingress limit per port? If you can limit it per port then something like 5pps should be plenty. They only need to ARP their default gateway and send a DHCP discover...anything else is surplus garbage. But If it's a global limit then someone sending garbage could prevent everybody else's ARP from working. I may not be thinking clearly but doesn't port isolation address the risk of broadcast storms? You allow one path from the customer's access port to the uplink port. Any broadcast traffic is received only at the router port which will only respond to the ones that matter and ignore the rest. I recognize there are reasons to not like PPPoE, but PPPoE is another way to address it. You configure the switch to discard anything from an access port that is not PPPoE. ------ Original Message ------ From: "Forrest Christian (List Account)" <li...@packetflux.com<mailto:li...@packetflux.com>> To: "af" <af@afmug.com<mailto:af@afmug.com>> Sent: 4/17/2018 3:01:18 AM Subject: Re: [AFMUG] Switch Storm Control I don't have a good answer for you.... but.... I really wish more devices would permit filtering such that the only broadcasts/multicasts permitted on customer facing segments were ARP and possibly DCHP if that's applicable to you. If you can exempt arp and dhcp from this, then the correct value is likely as low as you can set it. If you can't exempt arp and dhcp, you need to think about the ramifications where a low level broadcast storm saturates the setting you have set and prevents arp and dhcp from working.... On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson <sterl...@avative.net<mailto:sterl...@avative.net>> wrote: What are you guys using as a 'standard' for packets per second storm control on your switches/devices? I can limit broadcast, multicast and unknown unicast type packets Is 100pps too low? Would this be based on say a /24 network arping and DHCP request type traffic? -- Forrest Christian CEO, PacketFlux Technologies, Inc. Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602 forre...@imach.com<mailto:forre...@imach.com> | http://www.packetflux.com<http://www.packetflux.com/> [https://s3.amazonaws.com/images.wisestamp.com/icons/linkedin.png]<http://www.linkedin.com/in/fwchristian> [https://s3.amazonaws.com/images.wisestamp.com/icons/facebook.png] <http://facebook.com/packetflux> [https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png] <http://twitter.com/@packetflux>
