If you are doing fiber with active ethernet, why not just run QinQ with a CVLAN for each port and an SVLAN back to wherever?
On Tue, Apr 17, 2018 at 4:40 PM, Dave <dmilho...@wletc.com> wrote: > OMG! > what a broadcast nightmare :) > > > On 04/17/2018 11:49 AM, Sterling Jacobson wrote: > > Well, I’m using 48 port or more switches attached to each other, so I need > something to limit it. > > > > The switches typically limit ingress per port, so a low limiter should > only affect the devices behind that port if one of the devices storm out. > > > > I do have DHCP snooping, but that doesn’t necessarily block other types of > bad traffic like that. > > > > One thing I have to be careful of is to not broadly limit the uplink ports > as well. > > > > *From:* Af <af-boun...@afmug.com> <af-boun...@afmug.com> *On Behalf Of *Adam > Moffett > *Sent:* Tuesday, April 17, 2018 6:29 AM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] Switch Storm Control > > > > Exactly what I was thinking. > > > > Is it a global setting for the switch or an ingress limit per port? If > you can limit it per port then something like 5pps should be plenty. They > only need to ARP their default gateway and send a DHCP discover...anything > else is surplus garbage. But If it's a global limit then someone sending > garbage could prevent everybody else's ARP from working. > > > > I may not be thinking clearly but doesn't port isolation address the risk > of broadcast storms? You allow one path from the customer's access port to > the uplink port. Any broadcast traffic is received only at the router port > which will only respond to the ones that matter and ignore the rest. > > > > I recognize there are reasons to not like PPPoE, but PPPoE is another way > to address it. You configure the switch to discard anything from an access > port that is not PPPoE. > > > > > > > > ------ Original Message ------ > > From: "Forrest Christian (List Account)" <li...@packetflux.com> > > To: "af" <af@afmug.com> > > Sent: 4/17/2018 3:01:18 AM > > Subject: Re: [AFMUG] Switch Storm Control > > > > I don't have a good answer for you.... but.... I really wish more devices > would permit filtering such that the only broadcasts/multicasts permitted > on customer facing segments were ARP and possibly DCHP if that's applicable > to you. > > > > If you can exempt arp and dhcp from this, then the correct value is likely > as low as you can set it. > > > > If you can't exempt arp and dhcp, you need to think about the > ramifications where a low level broadcast storm saturates the setting you > have set and prevents arp and dhcp from working.... > > > > On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson <sterl...@avative.net> > wrote: > > What are you guys using as a 'standard' for packets per second storm > control on your switches/devices? > > I can limit broadcast, multicast and unknown unicast type packets > > Is 100pps too low? > > Would this be based on say a /24 network arping and DHCP request type > traffic? > > > > > > -- > > *Forrest Christian* *CEO, PacketFlux Technologies, Inc.* > > Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602 > > forre...@imach.com | http://www.packetflux.com > > <http://www.linkedin.com/in/fwchristian> <http://facebook.com/packetflux> > <http://twitter.com/@packetflux> > > > -- > -- Carl Peterson *PORT NETWORKS* 401 E Pratt St, Ste 2553 Baltimore, MD 21202 (410) 637-3707