Solved: Catalyst 9300 PSP (protocol storm protection)

kuzack2004 · ‎12-23-2020

We are about to replace in some branch offices old Catlyst 3750G-48TS (IOS IP Base 15.0(2)SE4) with Catalyst 9300-48T-A (IOS XE 17.03.02a; network-advantage + DNA advantage).

On active 3750Gs we are using psp (protocol storm protection) for psp arp and psp igmp. On new Catalyst 9300 looks like this command is not available.

There is no mention of psp command in "17.3. Command Reference Guide" except in section describing "error disable recovery" mechanism.
As I can see command exist in IOS XE 16.6 "Reference Guide" but I can't see it in later revisions.

Is psp deprecated or replaced with something other?

schwarzenbachcyb · ‎04-01-2021

Maybe CoPP is what you are looking for? "The CoPP feature improves security on your device by protecting the CPU from unnecessary traffic and denial of service (DoS) attacks. It can also protect control traffic and management traffic from traffic drops caused by high volumes of other, lower priority traffic."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_control_plane_policing.html

View solution in original post

Mark Elsen · ‎12-23-2020

- Check if this document can be useful :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_port_based_traffic_control.html

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

kuzack2004 · ‎12-23-2020

Hi,

Thanks for suggestion, I am aware of per port based storm control. I am referring to "protocol storm protection" which is applied on "global" level of the switch.

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) on page 550:

"Using protocol storm protection, you can control the rate at which control packets are sent to the switch by
specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping,
Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol
(IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual
port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if
necessary."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg.pdf

balaji.bandi · ‎12-23-2020

IOS XE do support port strom control : (is this what you looking, if not please advise)

interface interface-id
storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}
storm-control action {shutdown | trap}
end
show storm-control [interface-id] [broadcast | multicast | unicast]

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/configuration_guide/sec/b_171_sec_9300_cg/configuring_port_based_traffic_control.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

schwarzenbachcyb · ‎04-01-2021

Maybe CoPP is what you are looking for? "The CoPP feature improves security on your device by protecting the CPU from unnecessary traffic and denial of service (DoS) attacks. It can also protect control traffic and management traffic from traffic drops caused by high volumes of other, lower priority traffic."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_control_plane_policing.html