Professional Documents
Culture Documents
2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
After successfully completing this chapter, you will be
able to:
Describe the storm control security feature
Configure and monitor the storm control security feature
Describe firewall filter support for EX Series switches
Implement and monitor the effects of a firewall filter
www.juniper.net | 6-2
www.juniper.net | 6-3
Traffic Storms
Some traffic types, such as broadcast and unknown
unicast, can continuously propagate through a LAN
consuming resources and affecting performance
User A initiates traffic to a destination MAC
address not known or located in the network
User A
MAC: 00:26:88:02:74:86
Switch-1
User B
MAC: 00:26:88:02:74:87
Flood
Traffic
Storm
Switch-2
User C
MAC: 00:26:88:02:74:88
Flood
User D
MAC: 00:26:88:02:74:89
Switch-3
Flood
User E
MAC: 00:26:88:02:74:90
User F
MAC: 00:26:88:02:74:91
www.juniper.net | 6-4
Traffic
Storm
The storm control feature ensures traffic storms do not degrade LAN performance
2011 Juniper Networks, Inc. All rights reserved.
www.juniper.net | 6-5
Switch-1
{master:0}[edit]
user@Switch-1# show ethernet-switching-options
storm-control {
interface all;
}
Note: Using the default configuration, all broadcast , multicast, and unknown unicast traffic in excess of 80 percent is dropped.
www.juniper.net | 6-6
Is too low?
www.juniper.net | 6-8
Traffic is discarded
Bit Bucket
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
storm-control {
action-shutdown;
interface all;
}
Use the action-shutdown
option to alter the default behavior
Interface is disabled
www.juniper.net | 6-9
www.juniper.net | 6-10
ethernet-switching interfaces
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
me0.0
mgmt
up
Blocking
unblocked
unblocked
Storm control in effect
(00:03:57) remaining
untagged unblocked
www.juniper.net | 6-11
ethernet-switching interfaces
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
me0.0
mgmt
up
Blocking
unblocked
unblocked
Storm control in effect
(00:04:17) remaining
untagged unblocked
{master:0}
user@Switch-1> clear ethernet-switching port-error interface ge-0/0/9
{master:0}
user@Switch-1> show
Interface
State
ge-0/0/6.0
up
ge-0/0/8.0
up
ge-0/0/9.0
up
me0.0
up
ethernet-switching interfaces
VLAN members
Tag
Tagging
v11
11
untagged
v11
11
tagged
v11
11
tagged
mgmt
untagged
Blocking
unblocked
unblocked
unblocked
unblocked
www.juniper.net | 6-12
www.juniper.net | 6-13
www.juniper.net | 6-14
Application Description
Port-based
VLAN-based
Router-based
{master:0}[edit firewall]
user@Switch-1# edit family ?
Possible completions:
> any
Protocol-independent filter
> ethernet-switching
Protocol family Ethernet Switching for firewall filter
> inet
Protocol family IPv4 for firewall filter
> inet6
Protocol family IPv6 for firewall filter
Port-based and VLAN-based filters use family ethernet-switching option while routerbased filters use family inet or family inet6 depending on the traffic type
www.juniper.net | 6-15
Router Filter
VLAN Filter
VLAN Filter
Port Filter
Port Filter
Rx Packet
Tx Packet
Input
Output
www.juniper.net | 6-16
my-filter
User-defined filter
and term names
term firstterm
from
then
match
no match
term secondterm
from statements describe
match conditions
from
then
match
no match
term Default
discard
Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.
2011 Juniper Networks, Inc. All rights reserved.
www.juniper.net | 6-17
from
match
then
www.juniper.net | 6-18
Action modifiers:
analyzer, count, log, and syslog
forwarding-class and loss-priority
policer
term firstterm
from
match
then
www.juniper.net | 6-20
Switch-1
Access ports
www.juniper.net | 6-21
Switch-1
Access ports
www.juniper.net | 6-22
Switch-1
Access ports
www.juniper.net | 6-23
{master:0}[edit interfaces]
user@Switch-1# show ge-0/0/7
unit 0 {
family ethernet-switching {
vlan {
members v12;
}
filter {
input limit-MAC-ge007;
}
}
}
Switch-1
Access ports
www.juniper.net | 6-24
Switch-1
Access ports
www.juniper.net | 6-25
Bytes
472
Packets
7
Filter: limit-MAC-ge006
Counters:
Name
ge006-invalid-MAC
Bytes
1148
Packets
12
Filter: limit-MAC-ge007
Counters:
Name
ge007-invalid-MAC
Bytes
842
Packets
9
Switch-1
Access ports
www.juniper.net | 6-26
Summary
In this chapter, we:
Described the storm control security feature
Configured and monitored the storm control security feature
Described firewall filter support for EX Series switches
Implemented and monitored the effects of a firewall filter
www.juniper.net | 6-27
Review Questions
1. What is a traffic storm and how is it created?
2. What actions can be taken when a storm control
level is exceeded?
3. Which types of firewall filters are supported on
EX Series switches? Where are they applied?
www.juniper.net | 6-28
www.juniper.net | 6-29