The Juniper EX switch must be configured to enable Storm Control on all host-facing access interfaces.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253962	JUEX-L2-000150	SV-253962r843919_rule		Low

Description
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

Description

A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

STIG	Date
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57414r843917_chk )
Review the switch configuration to verify that storm control is enabled on host-facing access interfaces. Verify storm control profiles at [edit forwarding-options storm-control-profiles] with an appropriate bandwidth value (actual bandwidth value or a percentage). By default, ELS versions of Junos enable storm control with an 80 percent of bandwidth value, but permit setting different values as either an absolute level or a percentage of available bandwidth. Note: Although percentage of bandwidth remains supported, it is deprecated and subject to removal. Therefore, an absolute level should be used. Threshold values must be configured appropriately for the target network. Verify the default storm control profile or a custom profile with appropriate bandwidth percentage or level. [edit forwarding-options] storm-control-profiles profile-percent { all { bandwidth-percentage (1..100); } action-shutdown; } storm-control-profiles profile-level { all { bandwidth-level (100..100000000 kbps); } action-shutdown; } Note: Storm control profiles are created with the hierarchy "all" but support removing specific traffic types using the "no-" keyword. The currently supported exclusions: no-broadcast Disable broadcast storm control no-multicast Disable multicast storm control no-registered-multicast Disable registered multicast storm control no-unknown-unicast Disable unknown unicast storm control no-unregistered-multicast Disable unregistered multicast storm control If excluding traffic, verify at least broadcast storm control is enabled. Verify that storm control profiles are applied to layer 2 host-facing access interfaces. [edit interfaces] { unit 0 { family ethernet-switching { storm-control ; recovery-timeout (10..3600 seconds); } } } Note: If a recovery-timeout is not specified, and the storm control profile enforces action-shutdown, affected interfaces are disabled until manually enabled by an authorized administrator. If storm control is not enabled on all host-facing access interfaces, this is a finding.

Check Text ( C-57414r843917_chk )

Review the switch configuration to verify that storm control is enabled on host-facing access interfaces.

Verify storm control profiles at [edit forwarding-options storm-control-profiles] with an appropriate bandwidth value (actual bandwidth value or a percentage). By default, ELS versions of Junos enable storm control with an 80 percent of bandwidth value, but permit setting different values as either an absolute level or a percentage of available bandwidth.

Note: Although percentage of bandwidth remains supported, it is deprecated and subject to removal. Therefore, an absolute level should be used. Threshold values must be configured appropriately for the target network.

Verify the default storm control profile or a custom profile with appropriate bandwidth percentage or level.

[edit forwarding-options]
storm-control-profiles profile-percent {
all {
bandwidth-percentage (1..100);
}
action-shutdown;
}
storm-control-profiles profile-level {
all {
bandwidth-level (100..100000000 kbps);
}
action-shutdown;
}
Note: Storm control profiles are created with the hierarchy "all" but support removing specific traffic types using the "no-" keyword. The currently supported exclusions:
no-broadcast Disable broadcast storm control
no-multicast Disable multicast storm control
no-registered-multicast Disable registered multicast storm control
no-unknown-unicast Disable unknown unicast storm control
no-unregistered-multicast Disable unregistered multicast storm control

If excluding traffic, verify at least broadcast storm control is enabled.

Verify that storm control profiles are applied to layer 2 host-facing access interfaces.

[edit interfaces]
{
unit 0 {
family ethernet-switching {
storm-control ;
recovery-timeout (10..3600 seconds);
}
}
}
Note: If a recovery-timeout is not specified, and the storm control profile enforces action-shutdown, affected interfaces are disabled until manually enabled by an authorized administrator.

If storm control is not enabled on all host-facing access interfaces, this is a finding.

Fix Text (F-57365r843918_fix)
Configure storm control on each host-facing access interface. set forwarding-options storm-control-profiles profile-percent all bandwidth-percentage (1..100) set forwarding-options storm-control-profiles profile-level all bandwidth-level (100..100000000 kbps) set interfaces unit 0 family ethernet-switching storm-control set interfaces unit 0 family ethernet-switching recovery-timeout (10..3600 seconds)

Fix Text (F-57365r843918_fix)

Configure storm control on each host-facing access interface.

set forwarding-options storm-control-profiles profile-percent all bandwidth-percentage (1..100)
set forwarding-options storm-control-profiles profile-level all bandwidth-level (100..100000000 kbps)

set interfaces unit 0 family ethernet-switching storm-control
set interfaces unit 0 family ethernet-switching recovery-timeout (10..3600 seconds)