Chapter 18: Clear-Flow Commands - Extreme Networks ExtremeWare XOS Command Reference Manual

ExtremeWare XOS 11.5 supports only the Summit X450 family of switches and the BlackDiamond 8800 series switch.
18 CLEAR-Flow Commands
This chapter describes commands for:
Enabling and disabling CLEAR-Flow
●
Displaying CLEAR-Flow rules
●
Displaying triggered CLEAR-Flow rules
●
CLEAR-Flow is a broad framework for implementing security, monitoring, and anomaly detection in
ExtremeWare XOS software. Instead of simply looking at the source and destination of traffic, CLEAR-
Flow allows you to specify certain types of traffic that require more attention. Once certain criteria for
this traffic are met, the switch can either take an immediate, pre-determined action, or send a copy of
the traffic off-switch for analysis.
CLEAR-Flow is an extension to Access Control Lists (ACLs). You create ACL policy rules to count
packets of interest. CLEAR-Flow rules are added to the policy to monitor these ACL counter statistics.
The CLEAR-Flow agent monitors the counters for the situations of interest to you and your network.
You can monitor the cumulative value of a counter, the change to a counter over a sampling interval,
the ratio of two counters, or even the ratio of the changes of two counters over an interval. For example,
you can monitor the ratio between TCP SYN and TCP packets. An abnormally large ratio may indicate
a SYN attack.
If the rule conditions are met, the CLEAR-Flow actions configured in the rule are executed. The switch
can respond by installing an ACL that will block or rate limit the traffic, executing a set of CLI
commands, or sending a report using a SNMP trap or EMS log message.
NOTE
CLEAR-Flow is available only on the BlackDiamond 10808 family and BlackDiamond 12804 switches.
ExtremeWare XOS 11.5 Command Reference Guide
1101