Cisco Storm-Control Configuration

One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).

Too much broadcast traffic could be caused by malicious software but also by a malfunctioning NIC. To protect ourselves against this, Cisco switches offer the storm-control feature. We can configure a threshold on interfaces to set a limit to the number of broadcast, multicast or unknown unicast traffic and an action when the threshold is exceeded.

Here’s an example how to configure this:

SW1(config-if)#storm-control ?
  action     Action to take for storm-control
  broadcast  Broadcast address storm control
  multicast  Multicast address storm control
  unicast    Unicast address storm control

We can set an action and threshold for broadcast, multicast or unknown unicast traffic. Let’s take a look at broadcast traffic:

SW1(config)#interface FastEthernet0/1
SW1(config-if)#storm-control broadcast level ?
  <0.00 - 100.00>  Enter rising threshold
  bps              Enter suppression level in bits per second
  pps              Enter suppression level in packets per second

I have a couple of options here…when you use the rising threshold then the value you enter is a percentage of the interface bandwidth. The other two options are BPS (bits per second) or PPS (packets per second). Let’s start with a simple example:

SW1(config-if)#storm-control broadcast level 30

Whenever broadcast traffic exceeds 30% of the interface bandwidth, we will take action. I didn’t configure any action yet but the default action will drop exceeding traffic.

Let’s look at an example for multicast:

SW1(config-if)#storm-control multicast level bps ?
  <0.0 - 10000000000.0>[k|m|g]  Enter rising threshold

Now I can select a threshold in BPS. You can use K,M or G to indicate Kbps, Mbps or Gbps. Let’s pick something:

SW1(config-if)#storm-control multicast level bps 10m

Once multicast exceeds 10Mbps, it will be dropped. In the previous examples I only configured a rising threshold. This means that once we exceed the threshold, the traffic will be dropped. Once we are below this threshold it will be permitted. We can also use a falling threshold:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

536 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. question, on the last sentence you said the default action is exceeding traffic will be dropped. but you can also use to shutdown the interface or send a trap.

    if you configure to send a trap, the exceeding traffic will not be dropped? just only to inform you that it exceeds?

    because on the selection of action, its only “Shutdown” and “Trap”. theres no “Drop the exceeding traffic”.

    or it works this way that, it will drop the exceeding traffic, you just need to choose the 2nd option on what to do with it? is it you’ll shutdown the interface or send a trap?

  2. Hi John,

    In both cases, the exceeding traffic will be dropped. The only difference is the “extra” action that we perform. Do you want to shut the interface or only send a SNMP trap? That’s it.


  3. Hi Michael,

    I guess this depends on which end of the trunk you expect to have a broadcast storm :slight_smile: There’s no harm configuring this on both (or all) your switches. Configuring this on an etherchannel is no problem. Make sure you do this on the logical interface, not one of the member physical interfaces or it will be suspended.


  4. That’s right, for example if you configure:

    SwitchA(config-if)#storm-control broadcast level 30

    Then broadcast traffic above 30% will be dropped, that’s it.

  5. Hello Chris

    Unknown unicast traffic is essentially unicast traffic for which a switch does not have the destination MAC address already in its CAM table. Such traffic will require flooding from all of its ports thus adding to the severity of a potential broadcast storm.

    I hope this has been helpful!


7 more replies! Ask a question or join the discussion by visiting our Community Forum