Page | 1

Cisco Storm-Control Configuration

One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast
traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to
interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).

Too much broadcast traffic could be caused by malicious software but also by a malfunctioning NIC. To protect ourselves against
this, Cisco switches offer the storm-control feature. We can configure a threshold on interfaces to set a limit to the number of
broadcast, multicast or unknown unicast traffic and an action when the threshold is exceeded.

SW1(config-if)#storm-control ?
action Action to take for storm-control
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast Unicast address storm control

broadcast traffic:

SW1(config)#interface FastEthernet0/1
SW1(config-if)#storm-control broadcast level ?
<0.00 - 100.00> Enter rising threshold
bps Enter suppression level in bits per second
pps Enter suppression level in packets per second

SW1(config-if)#storm-control broadcast level 30

Whenever broadcast traffic exceeds 30% of the interface bandwidth, we will take action. I didnt configure any action yet but the
default action will drop exceeding traffic.

multicast:

SW1(config-if)#storm-control multicast level bps ?

<0.0 - 10000000000.0>[k|m|g] Enter rising threshold

SW1(config-if)#storm-control multicast level bps 10m

Once multicast exceeds 10Mbps, it will be dropped. In the previous examples I only configured a rising threshold. This means
that once we exceed the threshold, the traffic will be dropped. Once we are below this threshold it will be permitted. We can also
use a falling threshold:

Unicast:
SW1(config-if)#storm-control unicast level pps 30m 20m

Heres an example for unknown unicast traffic and PPS. The rising threshold is 30Mbps, once we get above this then the traffic
will be dropped. The falling threshold is 20Mbps which means that the amount of traffic has to be below 20Mbps before we
permit it again.

We can change the action:

SW1(config-if)#storm-control action ?
shutdown Shutdown this interface if a storm occurs
trap Send SNMP trap if a storm occurs
 Page | 2

By default the exceeding traffic is dropped but we can also choose to shutdown the interface or
to send a SNMP trap.

SW1(config-if)#storm-control action trap

Show storm-control command:

SW1#show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 30.00% 30.00% 0.00%

This only gives us the information for broadcast traffic. If we want to verify our settings for
unicast or multicast traffic then we have to add a parameter:

SW1#show storm-control multicast

Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 10m bps 10m bps 0 bps
SW1#show storm-control unicast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 30m pps 20m pps 0 pps

hostname SW1
!
interface FastEthernet0/1
storm-control broadcast level 30.00
storm-control multicast level bps 10m
storm-control unicast level pps 30m 20m
storm-control action trap
!
end