Reset Search
 

 

Article

How can we use CLEAR-FLOW for storm-control?

« Go Back

Information

 
TitleHow can we use CLEAR-FLOW for storm-control?
Question
How can we use CLEAR-FLOW for storm-control?
Environment
BlackDiamond X8 series switches, BlackDiamond 8000 c-, e-, xl-,
and xm-series modules, E4G-200 and E4G-400 switches, and Summit X440, X460, X480, X670, and X770 series switches.

 
Answer
In EXOS switches, you can use flood rate limitation as storm control method.
It is used to minimize the used to minimize the network impact of ingress flooding traffic.
But CLEAR-FLOW can provide more flexibility if you want to customize log message or any other actions that supported in CLEAR-FLOW.
Also, you can set up some entries for STP BPDU filtering and block the ingress port without configuring edge safe-guard in single policy file.

Below is an example of CLEAR-FLOW for storm-control.

 
entry acl_pvst {
if match all {
    ethernet-destination-address 01:00:0c:cc:cc:cd ;
}
then {
    count cntpvst ;
}
}
entry cflow_pvst {
if match all {
    count cntpvst > 0 ;
}
then {
    syslog "PVST Packet Detected on Port $port" NOTI 60 ;
    cli "disable port $port" ;
}
else {
    syslog "PVST Packet Cleared on Port $port" NOTI 60 ;
}
}
entry acl_stp {
if match all {
    ethernet-destination-address 01:80:c2:00:00:00 ;
}
then {
    count cntstp ;
}
}
entry cflow_stp {
if match all {
    count cntstp > 0 ;
}
then {
    syslog "STP Packet Detected on Port $port" NOTI 60 ;
    cli "disable port $port" ;
}
else {
    syslog "STP Packet Cleared on Port $port" NOTI 60 ;
}
}
entry acl_bflood {
if match all {
    ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
    count cntbcast ;
}
}
entry cflow_bflood {
if match all {
    delta cntbcast > 500 ;
    period 1 ;
    hysteresis 300 ;
}
then {
    syslog "Broadcast Flooding Detected on Port $port" NOTI 60 ;
    cli "disable port $port" ;
}
else {
    syslog "Broadcast Flooding Cleared on Port $port" NOTI 60 ;
}
}
entry acl_mflood {
if match all {
    ethernet-destination-address 01:00:00:00:00:00 mask 01:00:00:00:00:00 ;
}
then {
    count cntmcast ;
}
}
entry cflow_mflood {
if match all {
    delta cntmcast > 2000 ;
    period 1 ;
    hysteresis 1500 ;
}
then {
    syslog "Multicast Flooding Detected on Port $port" NOTI 60 ;
    cli "disable port $port" ;
}
else {
    syslog "Multicast Flooding Cleared on Port $port" NOTI 60 ;
}
}
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255