Thursday, July 5, 2012

Storm Control

  • Catalyst switches need rate-limiting traffic at layer-2
  • To do this uses the storm-control commands.
  • Storm control configured to set min & max port traffic (unicast, multicast & broadcast).
  • Each rate limit can be configured on a per-port basis.
  • Storm control can be configured on each type of traffic based on
    • Either packet rate or a percentage of the interface bandwidth.
  • We can also specify rising & falling thresholds for each traffic type.
  • If we don't specify falling threshold or if the falling threshold is the same as the rising threshold
    • the switch port forward all traffic up to the configured limit 
    • and will not wait for the specified falling threshold before forwarding it again.
  • When any of the configured threshold is passed, the switch can take 3 additional actions (also on port basis)
    • 1st & default is the switch can rate-limit by discarding excess traffic according to the configured commands & take no further action.
    • The other 2 actions include performing the rate-limiting function & either shutting down the port or sending an SNMP trap.
  • Commands
    • interface f0/0
      • storm-control broadcast level pps 100 50
        • limit broadcast traffic to 100packets per seconds
        • when traffic drops back to 50 pack/sec, begin forwarding traffic again.
      • storm-control multicast level 0.50 0.40
        • limit multicast traffic to 0.5 percent of the 100Mbps interface rate
        • when traffic drops back to 400kbps, begin forwarding again
      • storm-control action trap
        • any of above conditions occure & results in rate-limiting, send an SNMP trap.
    • show storm-control f0/0 {unicast | multicast \ broadcast }
  • Limitation:
    • it supports only physical ports
      • storm control configure on etherchannel interface, but it has no effect.

at

802.1X Configuration


  • 802.1X switch configuration resembles the AAA configuration.
  • The Switch configuration treats 802.1X user authentication as another option for AAA authentication.
  • Configuration Steps:
    • As with other AAA authentication methods, enable AAA with global command
      • aaa new-model
    • As with other configurations using RADIUS servers, define the RADIUS servers ip address & encryption keys using command
      • radius-server host 
      • radius-server key
    • Similar to login authentication configuration, define the 802.1X authentication method (RADIUS only) using global commands
      • aaa authentcation dot1x default
      • for multiple groups aaa authentication dot1x group name
    • Enable 802.1X globally using global command
      • dot1x system auth-control 
    • Set each interface to use one of three operational settings using the command
      • dot1x port-control { auto | force-authorized | force-unauthorized }
        • using 802.1x (auto)
        • not using 802.1x, but the interface is automatically authorized 
          • force-authorized   default
        • not using 802.1x, but the interface is automatically unauthorized
          • force-unauthorized
at

802.1X Roles:

  • Supplicant:
    • the 802.1x driver supplies a username/password prompt to the user and sends/recives the EAPoL messages.
  • Authentication:
    • Translate between EAPoL & RADIUS messages in bothe directions and enables/disables ports based on the success/failure of authentication
  • Authentication Server:
    • Stores usernames/passwords and verifies that the correct values were submitted before authenticating the user
at
Subscribe to: Posts (Atom)