- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Example: Using Storm Control to Prevent Network Outages
Using storm control can prevent problems caused by broadcast storms. You can configure storm control to rate-limit broadcast traffic, multicast traffic (on some devices), and unknown unicast traffic at a specified level so that the switch drops packets when the specified traffic level is exceeded, thus preventing packets from proliferating and degrading the LAN. You can also have the device shut down or temporarily disable an interface when the storm control limit is exceeded.
A traffic storm occurs when broadcast packets prompt receiving devices to broadcast packets in response. This prompts further responses, creating a knock-on effect that results in a broadcast storm that floods the device with packets, and causing poor performance or even a complete loss of service by some clients
Storm control monitors the level of applicable incoming traffic and compares it with
the level that you specify. If the combined level of the applicable traffic exceeds the specified
level, the switch drops packets for the controlled traffic types. As an alternative to having
the switch drop packets, you can configure storm control to shut down interfaces or temporarily
disable interfaces (see the action-shutdown statement or the recovery-timeout statement) when the storm control level is exceeded.
On ELS systems, storm control is enabled by default on all interfaces at a level of 80 percent of the available bandwidth.
On non-ELS systems, storm control is disabled by default on all interfaces. If you enable storm control, the default level is 80 percent of the available bandwidth.
If you configure storm control on an aggregated Ethernet interface, the storm-control level is applies to each member interface individually. For example, if the aggregated interface has two members and you configure a storm-control level of 20 kbps, Junos will not detect a storm if one or both of the member interfaces receives traffic at 15 kbps because in neither of these cases does an individual member receive traffic at a rate greater than the configured storm-control level. In this example, Junos detects a storm only if at least one member interface receives traffic at greater than 20 Kbps.
On EX2200, EX3200, EX3300, and EX4200 switches—Storm control is not enabled for multicast traffic by default. The factory default configuration enables storm control on all interfaces at 80 percent of the available bandwidth used by the combined unknown unicast and broadcast traffic streams.
On EX4500 and EX8200 switches—The factory default configuration enables storm control on all interfaces at 80 percent of the available bandwidth used by the combined broadcast, multicast, and unknown unicast traffic streams.
On EX6200 switches—Storm control is not enabled for multicast traffic by default. The factory default configuration enables storm control on all interfaces at 80 percent of the available bandwidth used by the combined unknown unicast and broadcast traffic streams. Storm control can be disabled for each type of traffic individually.
Example: Using Storm Control to Prevent Network Outages (ELS)
This example uses a Junos OS release that supports the Enhanced Layer 2 Software (ELS) configuration style.
Requirements
This example uses the following hardware and software components:
One QFX Series switch running Junos OS with ELS
Junos OS Release 13.2 or later
Overview and Topology
The topology used in this example consists of one switch connected to various network devices. This example shows how to configure the storm control level on interface xe-0/0/0 by setting the level to a traffic rate of 15,000 Kbps, based on the traffic rate of the combined applicable traffic streams. If the combined traffic exceeds this level, the switch drops packets for the controlled traffic types to prevent a network outage.
Configuration
Procedure
CLI Quick Configuration
To quickly configure storm control based on the traffic rate in kilobits per second of the combined traffic streams, copy the following command and paste it into the switch terminal window:
[edit] set forwarding-options storm-control-profiles sc-profile all bandwidth-level 15000 set interfaces xe-0/0/0 unit 0 family ethernet-switching storm-control sc-profile
Step-by-Step Procedure
To configure storm control:
Configure a storm control profile,
sc-profile, and specify the traffic rate in kilobits per second of the combined traffic streams:content_copy zoom_out_map[edit] user@switch> set forwarding-options storm-control-profiles sc-profile all bandwidth-level 15000
Bind the storm control profile,
sc, to a logical interface:content_copy zoom_out_map[edit] user@switch> set interfaces xe-0/0/0 unit 0 family ethernet-switching storm-control sc-profile
Results
Display the results of the configuration:
[edit forwarding-options]
user@switch> show storm-control-profiles sc-profile
all {
bandwidth 15000;
}
[edit]
user@switch> show interfaces xe-0/0/0
unit 0 {
family ethernet-switching {
vlan {
members default;
}
storm-control sc-profile;
}
}
Example: Using Storm Control to Prevent Network Outages (non-ELS)
This example uses a Junos OS release that does not support the Enhanced Layer 2 Software (ELS) configuration style on a single EX Series switch. If your switch runs software that supports ELS, see Example: Using Storm Control to Prevent Network Outages (ELS). For information about how to configure the switch to shut down or temporarily disable an interface when the storm control limit is exceeded, see Example: Using Storm Control to Prevent Network Outages
Requirements
This example uses the following hardware and software components:
A switch
Junos OS Release 11.1 or later
Overview and Topology
Topology
This example shows how to configure the storm control level on interface xe-0/0/0 by setting the level to a traffic rate of 5000000 Kbps, based on the total of the combined broadcast and unknown unicast streams. If broadcast traffic and unknown unicast traffic exceed these levels, the switch drops packets for the controlled traffic types.
Configuration
Procedure
Step-by-Step Procedure
To configure storm control for a 10-Gigabit Ethernet interface to the equivalent of 50 percent of the available bandwidth:
Specify the level of allowed broadcast traffic and unknown unicast traffic on a specific interface:
content_copy zoom_out_map[edit ethernet-switching-options] user@switch# set storm-control interface xe-0/0/0 bandwidth 5000000
Results
Display the results of the configuration:
[edit ethernet-switching-options]
user@switch# show storm-control
interface xe-0/0/0 {
bandwidth 5000000;
}
Verification
Verifying That the Storm Control Configuration Is in Effect
Purpose
Confirm that storm control is limiting the rate of traffic on the interface.
Action
Use the show interfaces ge-0/0/0 detail or show interfaces ge-0/0/0
extensive operational mode command to view traffic statistics on the storm controlled
interface. The input rate (bps) must not exceed the storm control limit.
user@switch> show interfaces ge-0/0/0 extensive
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 160, SNMP ifIndex: 503, Generation: 163
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: b0:c6:9a:67:90:84, Hardware address: b0:c6:9a:67:90:84
Last flapped : 2013-05-16 22:46:42 UTC (14w3d 03:13 ago)
Statistics last cleared: Never
Traffic statistics: 5000000
Input bytes : 312742788 512 bps
Output bytes : 245552919 0 bps
Input packets: 3550009 1 pps
Output packets: 2622101 0 pps
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Dropped traffic statistics due to STP State:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets:
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 1 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
7 network-cont 0 2622100 0
Queue number: Mapped forwarding classes
0 best-effort
1 assured-forwarding
5 expedited-forwarding
7 network-control
Active alarms : None
Active defects : None
MAC statistics: Receive Transmit
Total octets 0 0
Total packets 0 0
Unicast packets 0 0
Broadcast packets 0 0
Multicast packets 0 0
CRC/Align errors 0 0
FIFO errors 0 0
MAC control frames 0 0
MAC pause frames 0 0
Oversized frames 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 0
Code violations 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0
Interface transmit statistics: DisabledMeaning
The traffic statistics input bytes field shows the ingress
traffic rate at 512 bits per second (bps). This rate is within the storm control limit of
5000000 Kbps.
Example: Using Storm Control to Prevent Network (MX Routers)
This example shows how to configure storm control on an pair of MX Series routers running Junos OS with Enhanced Layer 2 Software (ELS).
Requirements
This example uses the following hardware and software components:
Two MX Series routers
Junos OS Release 14.1 or later with ELS
A traffic generator that can send broadcast and unknown unicast traffic at a rate that exceeds 100 Kbps
A second host
Overview and Topology
On MX Series routers, storm control is not enabled by default.
Topology
This example shows how to configure the storm control level on interface ge-0/0/1 by setting the level to a traffic rate of 100 Kbps. The topology used consists of two routers that could be connected to various network devices. If the combined traffic exceeds this level, the router drops packets for the controlled traffic types to prevent a network outage. (Starting in Junos OS release 17.4R1 for MX Series routers, you can also configure storm control on logical systems.)
Configuration
This example excludes multicast traffic from the storm traffic. Many protocols use multicast for control traffic, and for that reason network administrators and operators may want to keep multicast working to avoid obstructing protocol operation.
Procedure
CLI Quick Configuration
To quickly configure storm control based on the traffic rate in Kbps of the combined traffic streams, copy the following commands and paste them into the terminal window. The configurations of routers R1 and R2 are exactly the same:
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access set interfaces ge-0/0/0 unit 0 family bridge vlan-id 15 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 15 set interfaces ge-0/0/1 unit 0 family bridge storm-control sc set interfaces ge-0/0/1 unit 0 family bridge recovery-timeout 120 set bridge-domains bd1 domain-type bridge vlan-id 15 set forwarding-options storm-control-profiles sc all bandwidth-level 100 no multicast set forwarding-options storm-control-profiles sc action-shutdown
Step-by-Step Procedure
To configure storm control:
Configure a storm control profile,
sc, and specify the traffic rate in Kbps of the combined traffic streams. Exclude multicast traffic from the storm control profile.content_copy zoom_out_map[edit] user@host# set forwarding-options storm-control-profiles sc all bandwidth-level 100 no-multicast user@host# set forwarding-options storm-control-profiles sc action-shutdown
Bind the storm control profile
scto a logical interface. Remember to do this for both interfaces between the routers.content_copy zoom_out_map[edit] user@host#set interfaces ge-0/0/1 unit 0 family bridge storm-control sc
Configure interface ge-0/0/1 (the interface between routers). Do this for both interfaces between the routers.
content_copy zoom_out_map[edit] user@host# set interfaces ge-0/0/1 vlan-tagging user@host#set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk user@host#set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 15 user@host#set interfaces ge-0/0/1 unit 0 family bridge recovery-timeout 120
Configure interface ge-0/0/0 (the interface from host to router). Remember to do this for both interfaces between the routers.
content_copy zoom_out_map[edit] user@host# set interfaces ge-0/0/0 unit 0 family bridge interface-mode access user@host# set interfaces ge-0/0/0 unit 0 family bridge vlan-id 15
Set the bridge domain domain type and VLAN ID.
content_copy zoom_out_map[edit] user@host# set bridge-domains bd1 domain-type bridge vlan-id 15
Results
Display the results of the configuration:
[edit forwarding-options]
user@router> show storm-control-profiles sc
all {
bandwidth-level 100;
no-multicast;
}
action-shutdown;
[edit]
user@router> show interfaces ge-0/0/0
unit 0 {
family bridge {
interface-mode access;
vlan-id 15;
}
}
[edit]
user@router> show interfaces ge-0/0/1
vlan-tagging;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 15;
storm-control sc;
recovery-timeout 120;
}
}
[edit] user@router> show bridge-domains bd1 domain-type bridge; vlan-id 15;
Verification
Verifying That the Storm Control Configuration Is in Effect
Purpose
Confirm that storm control is limiting the rate of traffic on the interface.
Action
From Host A to Host B, use a traffic generator to send broadcast and unknown unicast traffic at a rate that exceeds 100 Kbps.
Verify on device R1’s ge-0/0/0 interface that traffic is entering at a rate that exceeds 100 Kbps.
content_copy zoom_out_mapuser@R1# run show interfaces detail ge-0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 137, SNMP ifIndex: 513, Generation: 140 Link-level type: Ethernet-Bridge, MTU: 1514, MRU: 1522, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Pad to minimum frame size: Disabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x20004000 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:05:86:71:6a:00, Hardware address: 00:05:86:71:6a:00 Last flapped : 2014-05-20 14:43:25 PDT (1w1d 01:20 ago) Statistics last cleared: 2014-05-28 15:59:39 PDT (00:04:02 ago) Traffic statistics: Input bytes : 830088 180432 bps Output bytes : 0 0 bps Input packets: 8472 230 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Active alarms : None Active defects : None Interface transmit statistics: DisabledThe Input bytes field shows the ingress traffic rate in bytes per second (bps). The input rate is within the storm control limit of 100 Kbps.
Verify that interface ge-0/0/1 on R1 is down (Admin down).
content_copy zoom_out_mapuser@R1# run show interfaces ge-0/0/1.0 terse Interface Admin Link Proto Local Remote ge-0/0/1.0 down up bridge
Because the link remains up, control traffic continues to flow.
After the timeout period of 120 seconds (2 minutes), verify that the interface comes back up.
content_copy zoom_out_mapuser@R1# run show interfaces ge-0/0/1.0 terse Interface Admin Link Proto Local Remote ge-0/0/1.0 up up bridge
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
