Recently, I deployed a VCF consisting of some QFX5100's and some EX4300's. I found that the default configuration did not really protect the network well enough and I thought I’d share it in this post.
On the QFX, you’ll find that storm-control is enabled by default. The first thing you'll notice is that the hierarchy under which the configuration is found has been moved from the [ ethernet-switching-options ] to the [forwarding-options ]. Another change besides the change in hierarchy, is that storm-control is now configured in two steps. The first step is the configuration of a storm-control-profile. The second step is applying this profile to the interfaces.
On the QFX, the default profile configuration is as follows:
play@VCF# show forwarding-options storm-control-profiles default { all; }
This profile will set storm-control at 80% with the default action, which is to drop frames. Straight out of the box, this default storm-control profile is applied as follows:
xe-0/0/0 { unit 0 { family ethernet-switching { vlan { members default; } storm-control default; } } }
This default configuration was not very satisfying to me. With storm-control enabled at 80%, you might as well leave it turned off. Additionally to this, I did not want to see thousands of lines of storm-control configuration. To this end, I configured the following:
set forwarding-options storm-control-profiles storm-control-5m all bandwidth-level 5000
This creates a storm-control profile that will be triggered at 5Mbit.
set groups vcf-interface interfaces <ge-*> unit 0 family ethernet-switching storm-control storm-control-5m set groups vcf-interface interfaces <xe-*> unit 0 family ethernet-switching storm-control storm-control-5m set groups vcf-interface interfaces <et-*> unit 0 family ethernet-switching storm-control storm-control-5m
This creates a group that applies the storm control profile to all possible interfaces on the switch.
set interfaces apply-groups vcf-interface
This last statement will actually apply the storm control profile to all the interfaces. With these statements applied, you will be able to see the following in the configuration:
xe-0/0/0 { unit 0 { family ethernet-switching { vlan { members default; } } }
And now with diplay inheritance:
play@VCF> show configuration interfaces xe-0/0/0 | display inheritance unit 0 { family ethernet-switching { vlan { members default; } ## ## 'storm-control' was inherited from group 'vcf-interface' ## 'storm-control-5m' was inherited from group 'vcf-interface' ## storm-control storm-control-5m; } }
If there are individual links for which another storm control profile is desired, simply configure one and apply it directly under the interface. The interface configuration will take precedence over the 'apply groups' configuration.
In my opinion, this configuration is more safe and concise. And by having storm control go into effect at 5Mbit versus 8Gbit I feel safer already.