One security issue that has to do with flooding is called a broadcast storm. When we have an excessive amount of broadcast traffic on the network then all devices within the broadcast domain will suffer. The switch has to flood all broadcast frames to interfaces in the same VLAN, hosts within the VLAN might have to process these frames (ARP requests for example).
Too much broadcast traffic could be caused by malicious software but also by a malfunctioning NIC. To protect ourselves against this, Cisco switches offer the storm-control feature. We can configure a threshold on interfaces to set a limit to the number of broadcast, multicast or unknown unicast traffic and an action when the threshold is exceeded.
Here’s an example how to configure this:
SW1(config-if)#storm-control ? action Action to take for storm-control broadcast Broadcast address storm control multicast Multicast address storm control unicast Unicast address storm control
We can set an action and threshold for broadcast, multicast or unknown unicast traffic. Let’s take a look at broadcast traffic:
SW1(config)#interface FastEthernet0/1 SW1(config-if)#storm-control broadcast level ? <0.00 - 100.00> Enter rising threshold bps Enter suppression level in bits per second pps Enter suppression level in packets per second
I have a couple of options here…when you use the rising threshold then the value you enter is a percentage of the interface bandwidth. The other two options are BPS (bits per second) or PPS (packets per second). Let’s start with a simple example:
SW1(config-if)#storm-control broadcast level 30
Whenever broadcast traffic exceeds 30% of the interface bandwidth, we will take action. I didn’t configure any action yet but the default action will drop exceeding traffic.
Let’s look at an example for multicast:
SW1(config-if)#storm-control multicast level bps ? <0.0 - 10000000000.0>[k|m|g] Enter rising threshold
Now I can select a threshold in BPS. You can use K,M or G to indicate Kbps, Mbps or Gbps. Let’s pick something:
SW1(config-if)#storm-control multicast level bps 10m
Once multicast exceeds 10Mbps, it will be dropped. In the previous examples I only configured a rising threshold. This means that once we exceed the threshold, the traffic will be dropped. Once we are below this threshold it will be permitted. We can also use a falling threshold: