The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.
An XCCDF Rule
Description
<VulnDiscussion>A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-217073r604135_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure storm control for each VPLS bridge domain. Base the rate limiting on expected traffic rates plus some additional capacity.
Configure a policer to rate limit traffic to provide storm control for all VPLS implementations as shown in the example.
[edit firewall]
set policer STORM_POLICER if-exceeding bandwidth-limit 10m burst-size-limit 5m