3.3.2 Configure Storm Control

Information

Traffic storm control (also called traffic suppression) allows you to monitor the levels of the incoming broadcast, multicast, and unicast traffic over a 3.9-millisecond interval. During this interval, the traffic level, which is a percentage of the total available bandwidth of the port, is compared with the traffic storm control level that you configured. When the ingress traffic reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the interval ends.

Rationale:

When the traffic exceeds the configured level, you can configure traffic storm control to perform the following optional corrective actions :

Shut down-When ingress traffic exceeds the traffic storm control level that is configured on a port, traffic storm control puts the port into the error-disabled state. To reenable this port, you can use either the shutdown and no shutdown options on the configured interface, or the error-disable detection and recovery feature. You are recommended to use the errdisable recovery cause storm-control command for error-disable detection and recovery along with the errdisable recovery interval command for defining the recovery interval. The interval can range between 30 and 65535 seconds.

Trap-You can configure traffic storm control to generate an SNMP trap when ingress traffic exceeds the configured traffic storm control level. The SNMP trap action is enabled by default. However, storm control traps are not rate-limited by default. You can control the number of traps generated per minute by using the snmp-server enable traps storm-control trap-rate command.

Impact:

This configuration is normally non-impactful - host network interfaces operating normally do not broadcast at the levels that are normally set in this command.

This command is primarily meant to protect the switch and more importantly other hosts in a broadcast domain (VLAN) from a network interface that is malfunctioning, either due to a hardware failure or a driver problem.

Note however that this protection can prevent some malicious activity, for instance VLAN wide DOS attacks, higher volume ARP Cache Poisoning attacks and CAM Table overflow attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To set the broadcast limit in percent (multicast limit shown):

switch(config)# interface ethernet 1/1
switch(config)# storm-control multicast level 10

or to set in packets per second (broadcast limit shown)

switch(config)# storm-control broadcast level pps 8000

Configure to send SNMP trap if a broadcast limit is exceeded

switch(config-if)# storm-control action trap

or to place an interface into an ERR-DISABLE state if a broadcast limit is exceeded:

switch(config-if)# storm-control action disable

Default Value:

not enabled

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, INCIDENT RESPONSE, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-6(1), 800-53|AU-7, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|IR-4(1), 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SI-4, 800-53|SI-4(2), 800-53|SI-4(4), 800-53|SI-4(5), CSCv7|11

Plugin: Cisco

Control ID: 812c549a1eba2477d6f253ace92ea342e437ca90f9cd423a8ab273475ccb2892