Skip to content

The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

An XCCDF Rule

Description

<VulnDiscussion>A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-254005r844048_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Configure storm control for each CE-facing interface deploying VPLS bridge domains. Base the suppression threshold on expected traffic rates plus some additional capacity. 

Configure a policer to rate limit traffic providing storm control in accordance with organizational requirements.

set firewall policer <policer name> if-exceeding bandwidth-limit <value> burst-size-limit <value>
set firewall policer <policer name> then discard