Storm control

Cisco Catalyst switches provide a feature termed "storm control," which allows an administrator to suppress excessive inbound unicast, multicast, or broadcast traffic on layer two interfaces. This can be handy to protect against broadcast storms resulting from spanning tree misconfiguration, or even unicast storms created by malfunction host NICs.

On each interface, a maximum threshold can be configured in bits or packets per second, or as a percentage of the interface bandwidth. If incoming traffic of the specified type exceeds its threshold during a polling interval (one second), traffic is blocked until the incoming rate drops below the configured falling interval. Consider the following traffic graph:

In interval T0, inbound traffic is accepted as its rate never exceeds the rising threshold. In T1, the rising threshold is exceeded, and the switch makes a note to block incoming traffic for the next interval. In T2, traffic is blocked, but the switch continues to monitor the incoming rate. Although the rate has fallen below the rising threshold, it still exceeds the falling threshold, so the switch will continue to block traffic for the next interval.

During T3, traffic stays below the falling interval, so the switch removes the blocking for T4. Although traffic in T4 exceeds the falling threshold again, traffic will not be blocked for the next interval as the rising threshold hasn't been exceeded.

Configuring storm control on an interface is simple. At a minimum you'll need to specify a traffic type (unicast, multicast, or broadcast) and a rising threshold:

Switch(config-if)# storm-control broadcast level bps 1m 500k

In the above example, we have configured storm control for broadcast traffic with a 1 Mbps rising threshold and a 500 Kbps falling threshold. Note that specifying a falling threshold is optional; if omitted, the falling threshold will default to the value of the rising threshold (effectively removing it).

show storm-control displays interfaces configured with storm control and the state of each:

Switch# show storm-control

Interface  Filter State   Upper        Lower        Current

---------  -------------  -----------  -----------  ----------

Fa0/5      Forwarding         1m bps     500k bps        0 bps

Observe how the output changes when the upper (rising) threshold for broadcast traffic is exceeded:

Switch# show storm-control

Interface  Filter State   Upper        Lower        Current



---------  -------------  -----------  -----------  ----------


Fa0/5      Blocking           1m bps     500k bps    2.08m bps

Additionally, the switch will generate a log message notifying administrators of the detected storm:

%STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Fa0/5. A packet filter action



has been applied on the interface.

When the incoming rate drops below the lower (falling) threshold, the interface filter returns to forwarding:

Switch# show storm-control



Interface  Filter State   Upper        Lower        Current



---------  -------------  -----------  -----------  ----------



Fa0/5      Forwarding         1m bps     500k bps   48.81k bps

Lastly, the storm-control action trap command can be used under interface configuration to send SNMP traps in the event of a storm rather than the default behavior of blocking incoming traffic.

source:http://packetlife.net/