One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).
Too much broadcast traffic could be caused by malicious software but also by a malfunctioning NIC. To protect ourselves against this, Cisco switches offer the storm-control feature. We can configure a threshold on interfaces to set a limit to the number of broadcast, multicast or unknown unicast traffic and an action when the threshold is exceeded.
Here’s an example how to configure this:
SW1(config-if)#storm-control ?
action Action to take for storm-control
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast Unicast address storm control
We can set an action and threshold for broadcast, multicast or unknown unicast traffic. Let’s take a look at broadcast traffic:
SW1(config)#interface FastEthernet0/1
SW1(config-if)#storm-control broadcast level ?
<0.00 - 100.00> Enter rising threshold
bps Enter suppression level in bits per second
pps Enter suppression level in packets per second
I have a couple of options here…when you use the rising threshold then the value you enter is a percentage of the interface bandwidth. The other two options are BPS (bits per second) or PPS (packets per second). Let’s start with a simple example:
SW1(config-if)#storm-control broadcast level 30
Whenever broadcast traffic exceeds 30% of the interface bandwidth, we will take action. I didn’t configure any action yet but the default action will drop exceeding traffic.
Let’s look at an example for multicast:
SW1(config-if)#storm-control multicast level bps ?
<0.0 - 10000000000.0>[k|m|g] Enter rising threshold
Now I can select a threshold in BPS. You can use K,M or G to indicate Kbps, Mbps or Gbps. Let’s pick something:
SW1(config-if)#storm-control multicast level bps 10m
Once multicast exceeds 10Mbps, it will be dropped. In the previous examples I only configured a rising threshold. This means that once we exceed the threshold, the traffic will be dropped. Once we are below this threshold it will be permitted. We can also use a falling threshold:
SW1(config-if)#storm-control unicast level pps 30m 20m
Here’s an example for unknown unicast traffic and PPS. The rising threshold is 30Mbps, once we get above this then the traffic will be dropped. The falling threshold is 20Mbps which means that the amount of traffic has to be below 20Mbps before we permit it again.
Last but not least, we can change the action:
SW1(config-if)#storm-control action ?
shutdown Shutdown this interface if a storm occurs
trap Send SNMP trap if a storm occurs
By default the exceeding traffic is dropped but we can also choose to shutdown the interface or to send a SNMP trap.
SW1(config-if)#storm-control action trap
To verify our work we can use the show storm-control command:
SW1#show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 30.00% 30.00% 0.00%
This only gives us the information for broadcast traffic. If we want to verify our settings for unicast or multicast traffic then we have to add a parameter:
SW1#show storm-control multicast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 10m bps 10m bps 0 bpsSW1#show storm-control unicast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 30m pps 20m pps 0 pps
These commands are also useful to see the current traffic levels. These will help to make up a baseline for the thresholds that you want to use.
hostname SW1
!
interface FastEthernet0/1
storm-control broadcast level 30.00
storm-control multicast level bps 10m
storm-control unicast level pps 30m 20m
storm-control action trap
!
endThat’s all there is to storm-control, I hope this lesson has been useful for you!
No comments:
Post a Comment