Cisco Catalyst switches provide a feature termed "storm control," which allows an administrator to suppress excessive inbound unicast, multicast, or broadcast traffic on layer two interfaces. This can be handy to protect against broadcast storms resulting from spanning tree misconfiguration, or even unicast storms created by malfunction host NICs.
On each interface, a maximum threshold can be configured in bits or packets per second, or as a percentage of the interface bandwidth. If incoming traffic of the specified type exceeds its threshold during a polling interval (one second), traffic is blocked until the incoming rate drops below the configured falling interval. Consider the following traffic graph:
In interval T0, inbound traffic is accepted as its rate never exceeds the rising threshold. In T1, the rising threshold is exceeded, and the switch makes a note to block incoming traffic for the next interval. In T2, traffic is blocked, but the switch continues to monitor the incoming rate. Although the rate has fallen below the rising threshold, it still exceeds the falling threshold, so the switch will continue to block traffic for the next interval.
During T3, traffic stays below the falling interval, so the switch removes the blocking for T4. Although traffic in T4 exceeds the falling threshold again, traffic will not be blocked for the next interval as the rising threshold hasn't been exceeded.
Configuring storm control on an interface is simple. At a minimum you'll need to specify a traffic type (unicast, multicast, or broadcast) and a rising threshold:
Switch(config-if)# storm-control broadcast level bps 1m 500k
In the above example, we have configured storm control for broadcast traffic with a 1 Mbps rising threshold and a 500 Kbps falling threshold. Note that specifying a falling threshold is optional; if omitted, the falling threshold will default to the value of the rising threshold (effectively removing it).
show storm-control displays interfaces configured with storm control and the state of each:
Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/5 Forwarding 1m bps 500k bps 0 bps
Observe how the output changes when the upper (rising) threshold for broadcast traffic is exceeded:
Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/5 Blocking 1m bps 500k bps 2.08m bps
Additionally, the switch will generate a log message notifying administrators of the detected storm:
%STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Fa0/5. A packet filter action has been applied on the interface.
When the incoming rate drops below the lower (falling) threshold, the interface filter returns to forwarding:
Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/5 Forwarding 1m bps 500k bps 48.81k bps
storm-control action trap command can be used under interface configuration to send SNMP traps in the event of a storm rather than the default behavior of blocking incoming traffic.