Title

The PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces. (Cat II impact)

Discussion

A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

Check Content

Review the router configuration to verify that storm control is enabled on CE-facing interfaces deploying VPLS. If storm control is not enabled for broadcast traffic, this is a finding. Note: The threshold level can be from 0 to 100 percent of the link's bandwidth, where "0" suppresses all traffic. Most FastEthernet switching modules do not support multicast and unicast traffic storm control.

Fix Text

Configure storm control for each VPLS bridge domain. Base the suppression threshold on expected traffic rates plus some additional capacity.

Additional Identifiers

Rule ID: SV-207128r604135_rule

Vulnerability ID: V-207128

Group Title: SRG-NET-000193

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.