Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(8)EA1
Configuring Port-Based Traffic Control
Downloads: This chapterpdf (PDF - 234.0KB) The complete bookPDF (PDF - 8.93MB) | Feedback

Configuring Port-Based Traffic Control

Table Of Contents

Configuring Port-Based Traffic Control

Configuring Storm Control

Understanding Storm Control

Default Storm Control Configuration

Enabling Storm Control

Disabling Storm Control

Configuring Protected Ports

Configuring Port Blocking

Blocking Flooded Traffic on an Interface

Resuming Normal Forwarding on a Port

Configuring Port Security

Understanding Port Security

Default Port Security Configuration

Configuration Guidelines

Enabling and Configuring Port Security

Displaying Port-Based Traffic Control Settings


Configuring Port-Based Traffic Control


This chapter describes how to configure the port-based traffic control features on your switch.


Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.


This chapter consists of these sections:

Configuring Storm Control

Configuring Protected Ports

Configuring Port Blocking

Configuring Port Security

Displaying Port-Based Traffic Control Settings

Configuring Storm Control

These sections include storm control configuration information and procedures:

Understanding Storm Control

Default Storm Control Configuration

Enabling Storm Control

Disabling Storm Control

Understanding Storm Control

Storm control prevents switchports on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.

Storm control (or traffic suppression) monitors incoming traffic statistics over a time period and compares the measurement with a predefined suppression level threshold. The threshold represents the percentage of the total available bandwidth of the port. The switch supports separate storm control thresholds for broadcast, multicast, and unicast traffic. If the threshold of a traffic type is reached, further traffic of that type is suppressed until the incoming traffic falls below the threshold level.


Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded. When broadcast and unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.


When storm control is enabled, the switch monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch monitors the number of broadcast, multicast, or unicast packets received within the 1-second time interval, and when a threshold for one type of traffic is reached, that type of traffic is dropped. This threshold is specified as a percentage of total available bandwidth that can be used by broadcast (multicast or unicast) traffic.

The graph in Figure 12-1 shows broadcast traffic patterns on an interface over a given period of time. The example can also be applied to multicast and unicast traffic. In this example, the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2 and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is again forwarded.

Figure 12-1 Broadcast Storm Control Example

The combination of the storm-control suppression level and the 1-second time interval control the way the storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.


Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control.


The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.

You use the storm-control interface configuration commands to set the threshold value for each traffic type.


Note Before IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands.


Default Storm Control Configuration

By default, unicast, broadcast, and multicast storm control is disabled on the switch: that is, the suppression level is 100 percent.

Enabling Storm Control

You enable storm control on an interface and enter the percentage of total available bandwidth that you want to be used by a particular type of traffic; entering 100 percent allows all traffic. However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.


Note Storm control is supported only on physical interfaces; it is not supported on EtherChannel port channels even though the command is available in the CLI.


Beginning in privileged EXEC mode, follow these steps to enable a particular type of storm control:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the type and number of the physical interface to configure, for example, gigabitethernet0/1.

Step 3 

storm-control broadcast level level [.level]

Specify the broadcast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A value of 0.0 means that all broadcast traffic on that port is blocked.

Step 4 

storm-control multicast level level [.level]

Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A value of 0.0 means that all multicast traffic on that port is blocked.

Step 5 

storm-control unicast level level [.level]

Specify the unicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99. A threshold value of 100 percent means that no limit is placed on broadcast traffic. A value of 0.0 means that all unicast traffic on that port is blocked.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show storm-control [interface-id] [broadcast | multicast | unicast]

Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable storm control, use the no storm-control broadcast level, no storm-control multicast level, or no storm-control unicast level interface configuration commands.

This example shows how to set the multicast storm control level at 70.5 percent on Fast Ethernet interface 17 and verify the configuration:

Switch# configure terminal
Switch(config)# interface fastethernet0/17
Switch(config-if)# storm-control multicast level 70.5
Switch(config-if)# end
Switch# show storm-control fastethernet0/17 multicast
Interface  Filter State   Level    Current
---------  -------------  -------  -------
Fa0/17     Forwarding      70.50%    0.00%

Disabling Storm Control

Beginning in privileged EXEC mode, follow these steps to disable storm control on an interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the type and number of the physical interface to configure, for example GigabitEthernet 0/1.

Step 3 

no storm-control broadcast level

Disable broadcast storm control on the interface.

Step 4 

no storm-control multicast level

Disable multicast storm control on the interface.

Step 5 

no storm-control unicast level

Disable unicast storm control on the interface.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show storm-control [interface-id] [broadcast | multicast | unicast]

Verify that there are no storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to disable the multicast storm control on Fast Ethernet interface 17 and verify the configuration:

Switch# configure terminal
Switch(config)# interface fastethernet0/17
Switch(config-if)# no storm-control multicast level
Switch(config-if)# end
Switch# show storm-control fastethernet0/17 multicast
Interface  Filter State   Level    Current
---------  -------------  -------  -------
Fa0/17     inactive       100.00%  N/A

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

Protected ports have these features:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device.

Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

The default is to have no protected ports defined.


Note The protected port feature is not compatible with fallback bridging. When fallback bridging is enabled, it is possible for packets to be forwarded from one protected port on a switch to another protected port on the same switch if the ports are in different VLANs.



Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded to a protected port because a MAC address has timed out or has not been learned by the switch. Use the switchport block unicast and switchport block multicast interface configuration commands to guarantee that no unicast or multicast traffic is flooded to the port in such a case.


A protected port cannot be a secure port.

You can configure protected ports on a physical interface (for example, Gigabit Ethernet 0/1) or an EtherChannel group (for example, port-channel 5). When you enable protected port for a port channel, it is enabled for all ports in the port channel group.

Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the type and number of the switchport interface to configure, for example, gigabitethernet0/1.

Step 3 

switchport protected

Configure the interface to be a protected port.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show interfaces interface-id switchport

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable protected port, use the no switchport protected interface configuration command.

This example shows how to configure Gigabit Ethernet interface 0/3 as a protected port and verify the configuration:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# switchport protected
Switch(config-if)# end
Switch# show interfaces gigabitethernet0/3 switchport
Name: Gi0/3
Switchport: Enabled

<output truncated>

Protected: True
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Configuring Port Blocking

By default, the switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues.

To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can configure a port (protected or nonprotected) to block unknown unicast or multicast packets.


Note Blocking unicast or multicast traffic is not automatically enabled on protected ports; you must explicitly configure it.


Blocking Flooded Traffic on an Interface


Note The interface can be a physical interface (for example, GigabitEthernet 0/1) or an EtherChannel group (for example, port-channel 5). When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.


Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to an interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the type and number of the switchport interface to configure, for example gigabitethernet0/1.

Step 3 

switchport block multicast

Block unknown multicast forwarding to the port.

Step 4 

switchport block unicast

Block unknown unicast forwarding to the port.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show interfaces interface-id switchport

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands.

This example shows how to block unicast and multicast flooding on Gigabit Ethernet interface 0/1 and verify the configuration:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch# show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled

<output truncated>

Protected: True
Unknown unicast blocked: enabled
Unknown multicast blocked: enabled

Resuming Normal Forwarding on a Port

Beginning in privileged EXEC mode, follow these steps to resume normal forwarding on a port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode and enter the type and number of the switchport interface to configure, for example gigabitethernet0/1.

Step 3 

no switchport block multicast

Enable unknown multicast flooding to the port.

Step 4 

no switchport block unicast

Enable unknown unicast flooding to the port.

Step 5 

end

Return to privileged EXEC mode

Step 6 

show interfaces interface-id switchport

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Configuring Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.

Understanding Port Security

After you have set the maximum number of secure MAC addresses on a port (the range is 1 to 128 with a default of 128), the secure addresses are included in an address table in one of these ways:

You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.

You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

You can configure a number of addresses and allow the rest to be dynamically configured.


Note If the port shuts down, all dynamically learned addresses are removed.


Once the maximum number of secure MAC addresses is configured, they are stored in an address table. Setting a maximum number of addresses to one and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port.

It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface.

A station whose MAC address is configured as a secure MAC address on another secure port attempts to access the interface.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict—a port security violation causes a trap notification to be sent to the network management station (NMS).

shutdown—a port security violation causes a the interface to shut down immediately and an SNMP trap notification is sent. Once shut down, the interface must be manually re-enabled by using the no shutdown interface configuration command. This is the default mode.

Default Port Security Configuration

Table 12-1 shows the default port security configuration for an interface.

Table 12-1 Default Port Security Configuration

Feature
Default Setting

Port security

Disabled on a port

Maximum number of secure MAC addresses

128

Violation mode

Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.


Configuration Guidelines

Follow these guidelines when configuring port security:

A protected port cannot be a routed port.

A secure port cannot be a dynamic access port or a trunk port.

A protected port cannot be a secure port.

A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.

A secure port cannot be an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.

Enabling and Configuring Port Security

Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and enter the physical interface to configure, for example gigabitethernet0/1.

Step 3 

switchport mode access

Set the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port.

Step 4 

switchport port-security

Enable port security on the interface.

Step 5 

switchport port-security maximum number of addresses

(Optional) Set the maximum number of secure MAC addresses for the interface. The range is 1 to 128; the default is 128.

Step 6 

switchport port-security violation {protect | restrict | shutdown}

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

shutdown—The interface shuts down immediately, and an SNMP trap notification is sent. When shut down, the interface must be manually re-enabled by using the no shutdown interface configuration command. This is the default mode.

restrict—A trap notification is sent to the network management station.

protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

Step 7 

switchport port-security mac-address mac_address

(Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Step 8 

end

Return to privileged EXEC mode.

Step 9 

show port-security interface interface-id

show port-security address

Verify your entries.

Step 10 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command.

To return the interface to the default number of secure MAC addresses (128), use the no switchport port-security maximum number of addresses.

To delete a MAC address from the address table, use the no switchport port-security mac-address mac_address command.

To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {protocol | restrict} command.

This example shows how to enable port security on Fast Ethernet port 12 and to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.

Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fastethernet0/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# end
Switch# show port-security interface fastethernet0/12
Security Enabled:Yes, Port Status:SecureUp
Violation Mode:Shutdown
Max. Addrs:5, Current Addrs:0, Configure Addrs:0

This example shows how to configure a secure MAC address on Fast Ethernet port 12 and verify the configuration.

Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fastethernet0/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 1000.2000.3000
Switch(config-if)# end
Switch# show port-security address
          Secure Mac Address Table
------------------------------------------------------------

Vlan    Mac Address       Type                Ports
----    -----------       ----                -----
   1    1000.2000.3000    SecureConfigured     Fa0/12

Displaying Port-Based Traffic Control Settings

The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm control and show port-security privileged EXEC commands display those features.

To display traffic control information, use one or more of the privileged EXEC commands in Table 12-2.

Table 12-2 Commands for Displaying Traffic Control Status and Configuration

Command
Purpose

show interfaces [interface-id] switchport

Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.

show storm-control [interface-id] [broadcast | multicast | unicast]

Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered.

show interfaces [interface-id] counters broadcast

Displays the storm-control broadcast suppression discard counter with the number of packets discarded for all interfaces or the specified interface.

show interfaces [interface-id] counters multicast

Displays the storm-control multicast suppression discard counter with the number of packets discarded for all interfaces or the specified interface.

show interfaces [interface-id] counters unicast

Displays the storm-control unicast suppression discard counter with the number of packets discarded for all interfaces or the specified interface.

show port-security [interface interface-id]

Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.

show port-security [interface interface-id] address

Displays all secure MAC addresses configured on all switch interfaces or on a specified interface.


This is a an example of output from the show interfaces switchport privileged EXEC command:

Switch# show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

Protected: False
Unknown unicast blocked: disabled
Unknown multicast blocked: enabled

This is a an example of output from the show interfaces counters broadcast privileged EXEC command:

Switch# show interfaces counters broadcast

Port      BcastSuppDiscards
Gi0/1                     0
Gi0/2                     0
Gi0/3                     0
Gi0/4                     0 

This is an example of output from the show switchport port-security privileged EXEC command when you do not enter an interface.

Switch# show port-security
Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                    (Count)        (Count)      (Count)
-------------------------------------------------------------------------------
     Fa0/12          25            1             0            Restrict
     Fa0/22          15            1             0            Protect

This is an example of output from the show switchport port-security privileged EXEC command for a specified interface.

Switch# show port-security interface fastethernet0/12
Security Enabled:Yes, Port Status:SecureUp
Violation Mode:Restrict
Max. Addrs:25, Current Addrs:1, Configure Addrs:1

This is a an example of output from the show port-security address privileged EXEC command.

Switch# show port-security address
          Secure Mac Address Table
------------------------------------------------------------

Vlan    Mac Address       Type                Ports
----    -----------       ----                -----
   1    1000.2000.3000    SecureConfigured     Fa0/12

This is an example of output from the show storm-control command when no keywords are entered. Because no traffic type keyword was entered, the broadcast storm control settings are displayed.

Switch# show storm-control
Interface  Filter State   Level    Current
---------  -------------  -------  -------
Fa0/1      inactive       100.00%  N/A
Fa0/2      inactive       100.00%  N/A
Fa0/3      inactive       100.00%  N/A
Fa0/4      inactive       100.00%  N/A
Fa0/5      inactive       100.00%  N/A
Fa0/6      inactive       100.00%  N/A
Fa0/7     Forwarding      50.00%    0.00%
Fa0/8      inactive       100.00%  N/A

<output truncated>

This is an example of output from the show storm-control command for a specified interface. Because no traffic type keyword was entered, the broadcast storm control settings are displayed.

Switch# show storm-control fastethernet0/17
Interface  Filter State   Level    Current
---------  -------------  -------  -------
Fa0/17     Forwarding      50.00%    0.00%

This is an example of output from the show storm-control command for a specified interface and traffic type, where no storm control threshold has been set for that traffic type on the specified interface.

Switch# show storm-control fastethernet0/17 multicast
Interface  Filter State   Level    Current
---------  -------------  -------  -------
Fa0/17     inactive       100.00%  N/A