subject:"\[AFMUG\] Switch Storm Control"

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Sterling Jacobson

Well, that’s possible I guess, but it’s a real PITA to configure and keep 
straight.

I mean, you got to keep it tight until it hits the actual router interface, and 
I have at least two points of VRRP entry into each bank of switches.

It’s just much simpler to do static MAC/IP assignments in the DHCP server and 
lock the switches down with snooping and broadcast controls.

Works well, just need to optimize the settings.

From: Af <af-boun...@afmug.com> On Behalf Of Carl Peterson
Sent: Tuesday, April 17, 2018 3:24 PM
To: af@afmug.com
Subject: Re: [AFMUG] Switch Storm Control

If you are doing fiber with active ethernet, why not just run QinQ with a CVLAN 
for each port and an SVLAN back to wherever?

On Tue, Apr 17, 2018 at 4:40 PM, Dave 
<dmilho...@wletc.com<mailto:dmilho...@wletc.com>> wrote:
OMG!
 what a broadcast nightmare :)

On 04/17/2018 11:49 AM, Sterling Jacobson wrote:
Well, I’m using 48 port or more switches attached to each other, so I need 
something to limit it.

The switches typically limit ingress per port, so a low limiter should only 
affect the devices behind that port if one of the devices storm out.

I do have DHCP snooping, but that doesn’t necessarily block other types of bad 
traffic like that.

One thing I have to be careful of is to not broadly limit the uplink ports as 
well.

From: Af <af-boun...@afmug.com><mailto:af-boun...@afmug.com> On Behalf Of Adam 
Moffett
Sent: Tuesday, April 17, 2018 6:29 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] Switch Storm Control

Exactly what I was thinking.

Is it a global setting for the switch or an ingress limit per port?  If you can 
limit it per port then something like 5pps should be plenty.  They only need to 
ARP their default gateway and send a DHCP discover...anything else is surplus 
garbage. But If it's a global limit then someone sending garbage could prevent 
everybody else's ARP from working.

I may not be thinking clearly but doesn't port isolation address the risk of 
broadcast storms? You allow one path from the customer's access port to the 
uplink port.  Any broadcast traffic is received only at the router port which 
will only respond to the ones that matter and ignore the rest.

I recognize there are reasons to not like PPPoE, but PPPoE is another way to 
address it.  You configure the switch to discard anything from an access port 
that is not PPPoE.



-- Original Message --
From: "Forrest Christian (List Account)" 
<li...@packetflux.com<mailto:li...@packetflux.com>>
To: "af" <af@afmug.com<mailto:af@afmug.com>>
Sent: 4/17/2018 3:01:18 AM
Subject: Re: [AFMUG] Switch Storm Control

I don't have a good answer for you but  I really wish more devices 
would permit filtering such that the only broadcasts/multicasts permitted on 
customer facing segments were ARP and possibly DCHP if that's applicable to you.

If you can exempt arp and dhcp from this, then the correct value is likely as 
low as you can set it.

If you can't exempt arp and dhcp, you need to think about the ramifications 
where a low level broadcast storm saturates the setting you have set and 
prevents arp and dhcp from working

On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson 
<sterl...@avative.net<mailto:sterl...@avative.net>> wrote:
What are you guys using as a 'standard' for packets per second storm control on 
your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request type traffic?



--
Forrest Christian CEO, PacketFlux Technologies, Inc.
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com<mailto:forre...@imach.com> | 
http://www.packetflux.com<http://www.packetflux.com/>
[https://s3.amazonaws.com/images.wisestamp.com/icons/linkedin.png]<http://www.linkedin.com/in/fwchristian>
 [https://s3.amazonaws.com/images.wisestamp.com/icons/facebook.png] 
<http://facebook.com/packetflux>  
[https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png] 
<http://twitter.com/@packetflux>



--
[cid:image001.jpg@01D3D66B.96ECEA70]



--

Carl Peterson

PORT NETWORKS

401 E Pratt St, Ste 2553

Baltimore, MD 21202

(410) 637-3707

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Adam Moffett

Interesting thought.

-- Original Message --
From: "Carl Peterson" <cpeter...@portnetworks.com>
To: af@afmug.com
Sent: 4/17/2018 5:23:39 PM
Subject: Re: [AFMUG] Switch Storm Control

If you are doing fiber with active ethernet, why not just run QinQ with 
a CVLAN for each port and an SVLAN back to wherever?

On Tue, Apr 17, 2018 at 4:40 PM, Dave <dmilho...@wletc.com> wrote:

OMG!
 what a broadcast nightmare :)

On 04/17/2018 11:49 AM, Sterling Jacobson wrote:
Well, I’m using 48 port or more switches attached to each other, so I 
need something to limit it.

The switches typically limit ingress per port, so a low limiter 
should only affect the devices behind that port if one of the devices 
storm out.

I do have DHCP snooping, but that doesn’t necessarily block other 
types of bad traffic like that.

One thing I have to be careful of is to not broadly limit the uplink 
ports as well.

From: Af <af-boun...@afmug.com> <mailto:af-boun...@afmug.com>On 
Behalf Of Adam Moffett

Sent: Tuesday, April 17, 2018 6:29 AM
To:af@afmug.com
Subject: Re: [AFMUG] Switch Storm Control

Exactly what I was thinking.

Is it a global setting for the switch or an ingress limit per port?  
If you can limit it per port then something like 5pps should be 
plenty.  They only need to ARP their default gateway and send a DHCP 
discover...anything else is surplus garbage. But If it's a global 
limit then someone sending garbage could prevent everybody else's ARP 
from working.

I may not be thinking clearly but doesn't port isolation address the 
risk of broadcast storms? You allow one path from the customer's 
access port to the uplink port.  Any broadcast traffic is received 
only at the router port which will only respond to the ones that 
matter and ignore the rest.

I recognize there are reasons to not like PPPoE, but PPPoE is another 
way to address it.  You configure the switch to discard anything from 
an access port that is not PPPoE.

-- Original Message --

From: "Forrest Christian (List Account)" <li...@packetflux.com>

To: "af" <af@afmug.com>

Sent: 4/17/2018 3:01:18 AM

Subject: Re: [AFMUG] Switch Storm Control

I don't have a good answer for you but  I really wish more 
devices would permit filtering such that the only 
broadcasts/multicasts permitted on customer facing segments were ARP 
and possibly DCHP if that's applicable to you.

If you can exempt arp and dhcp from this, then the correct value is 
likely as low as you can set it.

If you can't exempt arp and dhcp, you need to think about the 
ramifications where a low level broadcast storm saturates the 
setting you have set and prevents arp and dhcp from working

On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson 
<sterl...@avative.net> wrote:

What are you guys using as a 'standard' for packets per second 
storm control on your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request 
type traffic?

--

Forrest Christian CEO, PacketFlux Technologies, Inc.

Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602

forre...@imach.com | http://www.packetflux.com

<http://www.linkedin.com/in/fwchristian>  
<http://facebook.com/packetflux>  <http://twitter.com/@packetflux>

--

--
Carl Peterson

PORT NETWORKS

401 E Pratt St, Ste 2553

Baltimore, MD 21202

(410) 637-3707

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Carl Peterson

If you are doing fiber with active ethernet, why not just run QinQ with a
CVLAN for each port and an SVLAN back to wherever?

On Tue, Apr 17, 2018 at 4:40 PM, Dave <dmilho...@wletc.com> wrote:

> OMG!
>  what a broadcast nightmare :)
>
>
> On 04/17/2018 11:49 AM, Sterling Jacobson wrote:
>
> Well, I’m using 48 port or more switches attached to each other, so I need
> something to limit it.
>
>
>
> The switches typically limit ingress per port, so a low limiter should
> only affect the devices behind that port if one of the devices storm out.
>
>
>
> I do have DHCP snooping, but that doesn’t necessarily block other types of
> bad traffic like that.
>
>
>
> One thing I have to be careful of is to not broadly limit the uplink ports
> as well.
>
>
>
> *From:* Af <af-boun...@afmug.com> <af-boun...@afmug.com> *On Behalf Of *Adam
> Moffett
> *Sent:* Tuesday, April 17, 2018 6:29 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Switch Storm Control
>
>
>
> Exactly what I was thinking.
>
>
>
> Is it a global setting for the switch or an ingress limit per port?  If
> you can limit it per port then something like 5pps should be plenty.  They
> only need to ARP their default gateway and send a DHCP discover...anything
> else is surplus garbage. But If it's a global limit then someone sending
> garbage could prevent everybody else's ARP from working.
>
>
>
> I may not be thinking clearly but doesn't port isolation address the risk
> of broadcast storms? You allow one path from the customer's access port to
> the uplink port.  Any broadcast traffic is received only at the router port
> which will only respond to the ones that matter and ignore the rest.
>
>
>
> I recognize there are reasons to not like PPPoE, but PPPoE is another way
> to address it.  You configure the switch to discard anything from an access
> port that is not PPPoE.
>
>
>
>
>
>
>
> -- Original Message --
>
> From: "Forrest Christian (List Account)" <li...@packetflux.com>
>
> To: "af" <af@afmug.com>
>
> Sent: 4/17/2018 3:01:18 AM
>
> Subject: Re: [AFMUG] Switch Storm Control
>
>
>
> I don't have a good answer for you but  I really wish more devices
> would permit filtering such that the only broadcasts/multicasts permitted
> on customer facing segments were ARP and possibly DCHP if that's applicable
> to you.
>
>
>
> If you can exempt arp and dhcp from this, then the correct value is likely
> as low as you can set it.
>
>
>
> If you can't exempt arp and dhcp, you need to think about the
> ramifications where a low level broadcast storm saturates the setting you
> have set and prevents arp and dhcp from working
>
>
>
> On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson <sterl...@avative.net>
> wrote:
>
> What are you guys using as a 'standard' for packets per second storm
> control on your switches/devices?
>
> I can limit broadcast, multicast and unknown unicast type packets
>
> Is 100pps too low?
>
> Would this be based on say a /24 network arping and DHCP request type
> traffic?
>
>
>
>
>
> --
>
> *Forrest Christian* *CEO, PacketFlux Technologies, Inc.*
>
> Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
>
> forre...@imach.com | http://www.packetflux.com
>
> <http://www.linkedin.com/in/fwchristian>  <http://facebook.com/packetflux>
>   <http://twitter.com/@packetflux>
>
>
> --
>



-- 

Carl Peterson

*PORT NETWORKS*

401 E Pratt St, Ste 2553

Baltimore, MD 21202

(410) 637-3707

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Dave


OMG!
 what a broadcast nightmare :)


On 04/17/2018 11:49 AM, Sterling Jacobson wrote:


Well, I’m using 48 port or more switches attached to each other, so I 
need something to limit it.


The switches typically limit ingress per port, so a low limiter should 
only affect the devices behind that port if one of the devices storm out.


I do have DHCP snooping, but that doesn’t necessarily block other 
types of bad traffic like that.


One thing I have to be careful of is to not broadly limit the uplink 
ports as well.


*From:* Af <af-boun...@afmug.com> *On Behalf Of *Adam Moffett
*Sent:* Tuesday, April 17, 2018 6:29 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] Switch Storm Control

Exactly what I was thinking.

Is it a global setting for the switch or an ingress limit per port? 
 If you can limit it per port then something like 5pps should be 
plenty.  They only need to ARP their default gateway and send a DHCP 
discover...anything else is surplus garbage. But If it's a global 
limit then someone sending garbage could prevent everybody else's ARP 
from working.


I may not be thinking clearly but doesn't port isolation address the 
risk of broadcast storms? You allow one path from the customer's 
access port to the uplink port.  Any broadcast traffic is received 
only at the router port which will only respond to the ones that 
matter and ignore the rest.


I recognize there are reasons to not like PPPoE, but PPPoE is another 
way to address it.  You configure the switch to discard anything from 
an access port that is not PPPoE.


-- Original Message --

From: "Forrest Christian (List Account)" <li...@packetflux.com 
<mailto:li...@packetflux.com>>


To: "af" <af@afmug.com <mailto:af@afmug.com>>

Sent: 4/17/2018 3:01:18 AM

Subject: Re: [AFMUG] Switch Storm Control

I don't have a good answer for you but  I really wish more
devices would permit filtering such that the only
broadcasts/multicasts permitted on customer facing segments were
ARP and possibly DCHP if that's applicable to you.

If you can exempt arp and dhcp from this, then the correct value
is likely as low as you can set it.

If you can't exempt arp and dhcp, you need to think about the
ramifications where a low level broadcast storm saturates the
setting you have set and prevents arp and dhcp from working

On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson
<sterl...@avative.net <mailto:sterl...@avative.net>> wrote:

What are you guys using as a 'standard' for packets per second
storm control on your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP
request type traffic?



-- 


*Forrest Christian*/CEO, PacketFlux Technologies, Inc./

Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602

forre...@imach.com <mailto:forre...@imach.com> |
http://www.packetflux.com <http://www.packetflux.com/>

<http://www.linkedin.com/in/fwchristian>
<http://facebook.com/packetflux> <http://twitter.com/@packetflux>



--

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Sterling Jacobson

Well, I’m using 48 port or more switches attached to each other, so I need 
something to limit it.

The switches typically limit ingress per port, so a low limiter should only 
affect the devices behind that port if one of the devices storm out.

I do have DHCP snooping, but that doesn’t necessarily block other types of bad 
traffic like that.

One thing I have to be careful of is to not broadly limit the uplink ports as 
well.

From: Af <af-boun...@afmug.com> On Behalf Of Adam Moffett
Sent: Tuesday, April 17, 2018 6:29 AM
To: af@afmug.com
Subject: Re: [AFMUG] Switch Storm Control

Exactly what I was thinking.

Is it a global setting for the switch or an ingress limit per port?  If you can 
limit it per port then something like 5pps should be plenty.  They only need to 
ARP their default gateway and send a DHCP discover...anything else is surplus 
garbage. But If it's a global limit then someone sending garbage could prevent 
everybody else's ARP from working.

I may not be thinking clearly but doesn't port isolation address the risk of 
broadcast storms? You allow one path from the customer's access port to the 
uplink port.  Any broadcast traffic is received only at the router port which 
will only respond to the ones that matter and ignore the rest.

I recognize there are reasons to not like PPPoE, but PPPoE is another way to 
address it.  You configure the switch to discard anything from an access port 
that is not PPPoE.



-- Original Message --
From: "Forrest Christian (List Account)" 
<li...@packetflux.com<mailto:li...@packetflux.com>>
To: "af" <af@afmug.com<mailto:af@afmug.com>>
Sent: 4/17/2018 3:01:18 AM
Subject: Re: [AFMUG] Switch Storm Control

I don't have a good answer for you but  I really wish more devices 
would permit filtering such that the only broadcasts/multicasts permitted on 
customer facing segments were ARP and possibly DCHP if that's applicable to you.

If you can exempt arp and dhcp from this, then the correct value is likely as 
low as you can set it.

If you can't exempt arp and dhcp, you need to think about the ramifications 
where a low level broadcast storm saturates the setting you have set and 
prevents arp and dhcp from working

On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson 
<sterl...@avative.net<mailto:sterl...@avative.net>> wrote:
What are you guys using as a 'standard' for packets per second storm control on 
your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request type traffic?



--
Forrest Christian CEO, PacketFlux Technologies, Inc.
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com<mailto:forre...@imach.com> | 
http://www.packetflux.com<http://www.packetflux.com/>
[https://s3.amazonaws.com/images.wisestamp.com/icons/linkedin.png]<http://www.linkedin.com/in/fwchristian>
 [https://s3.amazonaws.com/images.wisestamp.com/icons/facebook.png] 
<http://facebook.com/packetflux>  
[https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png] 
<http://twitter.com/@packetflux>

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Dave

We route and segment to remove this from being an issue on the 
infrastructure but as with any network a customer will always figure out 
a way
to break stuff hence the isolation that we use on the AP. If its not a 
routed packed then it doesnt get thru.



On 04/16/2018 04:49 PM, Sterling Jacobson wrote:

What are you guys using as a 'standard' for packets per second storm control on 
your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request type traffic?


--

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Adam Moffett


Exactly what I was thinking.

Is it a global setting for the switch or an ingress limit per port?  If 
you can limit it per port then something like 5pps should be plenty.  
They only need to ARP their default gateway and send a DHCP 
discover...anything else is surplus garbage. But If it's a global limit 
then someone sending garbage could prevent everybody else's ARP from 
working.


I may not be thinking clearly but doesn't port isolation address the 
risk of broadcast storms? You allow one path from the customer's access 
port to the uplink port.  Any broadcast traffic is received only at the 
router port which will only respond to the ones that matter and ignore 
the rest.


I recognize there are reasons to not like PPPoE, but PPPoE is another 
way to address it.  You configure the switch to discard anything from an 
access port that is not PPPoE.




-- Original Message --
From: "Forrest Christian (List Account)" <li...@packetflux.com>
To: "af" <af@afmug.com>
Sent: 4/17/2018 3:01:18 AM
Subject: Re: [AFMUG] Switch Storm Control

I don't have a good answer for you but  I really wish more 
devices would permit filtering such that the only broadcasts/multicasts 
permitted on customer facing segments were ARP and possibly DCHP if 
that's applicable to you.


If you can exempt arp and dhcp from this, then the correct value is 
likely as low as you can set it.


If you can't exempt arp and dhcp, you need to think about the 
ramifications where a low level broadcast storm saturates the setting 
you have set and prevents arp and dhcp from working


On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson 
<sterl...@avative.net> wrote:
What are you guys using as a 'standard' for packets per second storm 
control on your switches/devices?


I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request type 
traffic?




--
Forrest Christian CEO, PacketFlux Technologies, Inc.
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com | http://www.packetflux.com 
<http://www.packetflux.com/>
<http://www.linkedin.com/in/fwchristian>  
<http://facebook.com/packetflux>  <http://twitter.com/@packetflux>

Re: [AFMUG] Switch Storm Control

2018-04-17 Thread Forrest Christian (List Account)

I don't have a good answer for you but  I really wish more devices
would permit filtering such that the only broadcasts/multicasts permitted
on customer facing segments were ARP and possibly DCHP if that's applicable
to you.

If you can exempt arp and dhcp from this, then the correct value is likely
as low as you can set it.

If you can't exempt arp and dhcp, you need to think about the ramifications
where a low level broadcast storm saturates the setting you have set and
prevents arp and dhcp from working

On Mon, Apr 16, 2018 at 3:49 PM, Sterling Jacobson 
wrote:

> What are you guys using as a 'standard' for packets per second storm
> control on your switches/devices?
>
> I can limit broadcast, multicast and unknown unicast type packets
>
> Is 100pps too low?
>
> Would this be based on say a /24 network arping and DHCP request type
> traffic?
>

-- 
*Forrest Christian* *CEO**, PacketFlux Technologies, Inc.*
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com | http://www.packetflux.com

[AFMUG] Switch Storm Control

2018-04-16 Thread Sterling Jacobson

What are you guys using as a 'standard' for packets per second storm control on 
your switches/devices?

I can limit broadcast, multicast and unknown unicast type packets

Is 100pps too low?

Would this be based on say a /24 network arping and DHCP request type traffic?

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

Re: [AFMUG] Switch Storm Control

[AFMUG] Switch Storm Control

9 matches

Site Navigation

Mail list logo

Footer information