In-depth exploration of Ethernet Switch Control Technology

We all know that in Ethernet switch technology, storm control technology and security protection technology play a very important role in ensuring the network security of our LAN. In the actual network environment, with the continuous improvement of computer performance, attacks against Ethernet switches, routers, or other computers in the network become more and more serious, and the impact becomes more and more severe. An Ethernet switch is the main device for LAN information exchange.

In particular, the core and aggregation switches carry extremely high data traffic, which can easily cause overload or downtime in case of sudden abnormal data or attacks. To minimize the impact of attacks, reduce the load on Ethernet switches, and ensure stable LAN operation, Ethernet switch manufacturers have applied some security technologies on switches, network administrators should effectively enable and configure these technologies based on different device models to purify the LAN environment. This article takes the Quidway series vswitches of Huawei 3COM as an example to introduce you to common security protection technologies and configuration methods in two phases. You will learn about broadcast storm control, MAC address control, DHCP control, and ACL.

Broadcast Storm Control Technology

Damage to NICs or other network interfaces, loops, damage to human interference, hacker tools, and virus transmission may all cause broadcast storms. The ethernet switch forwards a large number of broadcast frames to each port, this greatly consumes link bandwidth and hardware resources. You can set an Ethernet port or VLAN's broadcast storm suppression ratio to effectively suppress broadcast storms and avoid network congestion.

1. broadcast storm Suppression Ratio

You can use the following command to limit the amount of broadcast traffic allowed on the port. When the broadcast traffic exceeds the value set by the user, the system discards the broadcast traffic, this reduces the proportion of broadcast traffic to a reasonable range. The parameter uses the line speed percentage of the maximum broadcast traffic on the port as the parameter. The smaller the percentage, the smaller the broadcast traffic that can be passed. When the percentage is 100, it indicates that broadcast storm suppression is not performed on the port. By default, the allowed broadcast traffic is 100%, that is, the broadcast traffic is not blocked. Configure broadcast-suppression ratio in the Ethernet port view.

2. Specify the broadcast storm suppression ratio for the VLAN

Similarly, you can use the following command to set the size of the broadcast traffic allowed by a VLAN. By default, all VLANs of the system do not suppress broadcast storms, that is, the max-ratio value is 100%.

MAC address Control Technology

An Ethernet switch can use the MAC address learning function to obtain the MAC addresses of network devices connected to a port. For packets sent to these MAC addresses, the Ethernet switch can directly use hardware forwarding. If the MAC address table is too large, the forwarding performance of the Ethernet switch may decrease. MAC attacks use tools to generate spoofed MAC addresses and quickly fill up the MAC table of the switch. After the MAC table is filled up, the switch processes packets sent through the switch in broadcast mode, the traffic is sent to all interfaces in a flood manner. Attackers can use various sniffing tools to obtain network information. The traffic on the TRUNK interface will also be sent to all interfaces and adjacent switches, resulting in excessive load on the switch, slow network, packet loss, and even paralysis. You can suppress MAC attacks by setting the maximum number of MAC addresses and the aging time of MAC addresses on the port.

1. Set the maximum number of MAC addresses that can be learned

By setting the maximum number of MAC addresses learned from the Ethernet port, you can control the number of entries in the MAC address table maintained by the Ethernet switch. If the value set by the user is count, when the number of MAC addresses learned from the port reaches count, the port will no longer learn the MAC address. By default, the vswitch has no limit on the maximum number of MAC addresses that can be learned from the port.
In the Ethernet port view, configure mac-address max-mac-count.

2. Set the system MAC address aging time

Setting an appropriate aging time can effectively enable MAC address aging. The aging time set by the user is too long or too short, which may cause the Ethernet switch to broadcast a large number of data packets that cannot find the destination MAC address, affecting the operation performance of the switch. If the aging time set by the user is too long, the Ethernet switch may save many outdated MAC address table items, thus exhausting the MAC address table resources, as a result, the Ethernet switch cannot update the MAC address table based on network changes. If the aging time set by the user is too short, the Ethernet switch may delete valid MAC address table items. In general, we recommend that you use the default value of the aging time age of 300 seconds. In the system view, make the following configuration: When the mac-address timer {aging age | no-aging} parameter is used, it indicates that the MAC address table item is not aging.

3. Set the aging time of the MAC address table

The locking port here refers to the Ethernet port with the maximum number of MAC addresses learned. After you use the mac-address max-mac-count command on the Ethernet port to set the maximum number of addresses that can be learned by the port, the learned MAC address table items will be bound to the corresponding port. If the host corresponding to a MAC address does not access the Internet for a long time or has been removed, it still occupies a MAC address table entry on the port, as a result, hosts outside the five MAC addresses cannot access the Internet. In this case, you can set the aging time of the MAC address table corresponding to the locked port to aging the MAC address table items of hosts that do not access the Internet for a long time, so that other hosts can access the Internet. By default, the aging time of the MAC address table corresponding to the locked port is 1 hour.