Solved: where to configure storm-control?

Amafsha1 · ‎07-12-2018

Hello friends, from what I understand storm-control only filters inbound broadcasts. In the topology I have attached, does anyone recommend the best place to configure storm control? we have a lot of building access switches and recently had a broadcast storm, should I configure it on all the uplinks to the distribtuion switch, or should I just configure it on the uplink of the distribtuion switch to the core to supress broadcasts storms?

omz · ‎07-12-2018

Hi,

First I would try to find out the culprit of broadcasts. Essentially find out where are the broadcast packets coming from. Possibly you can use Wireshark to capture some traffic.

Regarding configuration of storm control on uplinks, I am thinking if storm control is configured on access layer, would you still need it on distribution layer?

https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html

View solution in original post

James Johnston · ‎07-13-2018

We configure storm-control on our access switches (we are public K-12 schools), ex:
----------------------------
!
errdisable recovery cause storm-control
errdisable recovery interval 600
!
int gi1/0/1
storm-control broadcast level 10.00 5.00
storm-control multicast level 40.00 20.00
storm-control action shutdown
!
----------------------------
So if anyone violates our policy of broadcast traffic generating more than 10% of a 1Gb interface or multicast traffic generating more than 40% of a 1Gb interface, it will shut it down.
After 10 minutes (600 seconds) it will clear the violation and reset the port. If that port still violates the traffic... well, rinse/repeat.

But as for work in implementing it.... depends on your environment and switches. If they are all the same switch model or at the very least have the same amount of ports (24 vs 48, etc), then just use the 'interface range' command to target all the ports, or groups of them. Also, if you use secureCRT (not sure on Tera-Term or putty), you can send that command to all active windows / sessions.

So, if all 48 ports are access:
interface range fa0/1-48
or
interface range fa0/1-4,fa0/6,fa0/8,fa0/24-41,fa045-47
! You can have up to 5 "groups" of interfaces in a single 'interface range' command.

Make sure to also setup spanning-tree bpduguard. That was our biggest culprit for broadcast storms; kids (and teachers =/ ) would plug both ends of a cable into the wall and create a loop.

View solution in original post

omz · ‎07-12-2018

Hi,

First I would try to find out the culprit of broadcasts. Essentially find out where are the broadcast packets coming from. Possibly you can use Wireshark to capture some traffic.

Regarding configuration of storm control on uplinks, I am thinking if storm control is configured on access layer, would you still need it on distribution layer?

https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html

Amafsha1 · ‎07-12-2018

Already found the culprit. I think you're right, If I configure it on access layer, I probably wouldn't need it on distribution layer. I was just thinking which one would be less work.

James Johnston · ‎07-13-2018

We configure storm-control on our access switches (we are public K-12 schools), ex:
----------------------------
!
errdisable recovery cause storm-control
errdisable recovery interval 600
!
int gi1/0/1
storm-control broadcast level 10.00 5.00
storm-control multicast level 40.00 20.00
storm-control action shutdown
!
----------------------------
So if anyone violates our policy of broadcast traffic generating more than 10% of a 1Gb interface or multicast traffic generating more than 40% of a 1Gb interface, it will shut it down.
After 10 minutes (600 seconds) it will clear the violation and reset the port. If that port still violates the traffic... well, rinse/repeat.

But as for work in implementing it.... depends on your environment and switches. If they are all the same switch model or at the very least have the same amount of ports (24 vs 48, etc), then just use the 'interface range' command to target all the ports, or groups of them. Also, if you use secureCRT (not sure on Tera-Term or putty), you can send that command to all active windows / sessions.

So, if all 48 ports are access:
interface range fa0/1-48
or
interface range fa0/1-4,fa0/6,fa0/8,fa0/24-41,fa045-47
! You can have up to 5 "groups" of interfaces in a single 'interface range' command.

Make sure to also setup spanning-tree bpduguard. That was our biggest culprit for broadcast storms; kids (and teachers =/ ) would plug both ends of a cable into the wall and create a loop.

Amafsha1 · ‎08-06-2018

Did you configure BPDU gurad on all the switchports of your access switches?

if you have configured bpdu guard on every switchport, then what would be the point of configuring storm-control? Sorry, I just have a lack of knowledge about this. thank you

James Johnston · ‎08-06-2018

Yes, we have BPDU guard on all access ports as well as storm-control and port-security.

Here is an example of our spanning-tree config:

!----------------
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long

interface gi1/0/1

switchport port-security

switchport port-security maximum 1 ! (this command is default and wont show in the config)
switchport port-security aging time 120
switchport port-security violation restrict
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!----------------

We use BPDU guard so that people cannot plug another network device onto our network. It also helps against people looping a network cable into the same switch (or another switch)

We use storm-control so that someone cannot flood our network with broadcast or multicast traffic; thus slowing the network down for everyone. Example would be someone using an imaging server to reimage a computer's OS.

And then we use port-security so that someone can't have more than 1 device plugged into an access port (not all switch vendors participate in spanning-tree (802.1D ??)

And as a disclaimer: I'm not a CCNP R&S or higher. This is something that we use and had help from a Cisco VAR to implement. But, please make sure to read up on the commands and how they are used. Don't blindly follow what others do; it might not work in your environment!

Here is an article on the importance of BPDU guard:

https://community.cisco.com/t5/network-architecture-documents/importance-of-bpdu-guard-and-bpdu-filter/ta-p/3120465

And then Spanning-Tree:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swstp.html

Amafsha1 · ‎08-06-2018

Thank you sir. so I guess port-fast isn't quite enough to prevent someone connecting up the cable between 2 switchports or introducing a switch that might do BPDU into a switchport.

James Johnston · ‎08-06-2018

Enabling "spanning-tree portfast" on a port makes that port go into the "forwarding" state immediately, without going through all the steps:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html?referring_site=RE&pos=3&page=https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960...

So, when someone plugs in their computer they are usually able to get network access very quick (within a couple seconds). If you didn't have 'spanning-tree portfast' enabled on access ports the device would take up to 30 seconds to finally get network access as the port goes through all the states (listening and learning).

This is why we also hard-code all access ports with the commands:

"

switchport access vlan 10
switchport mode access

"

We know its going to be an access port for computer devices and we know that it should never be anything else (ie: a trunk port).

Again, we are a public K-12 school district. So, unfortunately, quick access and convenience are slightly higher importance than security. I'm sure there are much better security practices that we could implement but our students are limited in class time and we need to make sure they can get access to resources quickly.

James Johnston · ‎08-06-2018

So, going back to your original question and what @omz also hinted at:

If you configure storm-control on all your access ports and your switches are in a secured room, then configuring storm-control on your uplinks is not necessary.

Amafsha1 · ‎08-06-2018

Thanks James. I don't think he meant to configure Storm-control on all access switchports, I think he meant to configure it on the access layers switches uplinks towards the dist layer.

paul driver · ‎08-06-2018

Hello

Note: when both broadcast and multicast storm control is enabled at the same time and if either one reaches its own specified threshold it will negate traffic for both

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Amafsha1 · ‎08-20-2018

Thanks Paul. It seems that the only 2 options for storm-control is to either disable the uplink or send an SNMP trap. I wish their were more options..such as dropping the broadcast traffic in question

fmgmpartridge · ‎02-26-2020

If you choose to send an SNMP trap, it still applies a filter to the interface to block the offending traffic.