Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Configuring Port-Based Traffic Control
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 7.42MB) | The complete bookePub (ePub - 1.5MB) | Feedback

Configuring Port-Based Traffic Control

Configuring Port-Based Traffic Control

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Protocol Storm Protection

Protocol Storm Protection

When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:

  • Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.
  • Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.
  • CLI is slow or unresponsive.

Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.

When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if necessary.

For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the virtual port.


Note


Excess packets are dropped on no more than two virtual ports.

Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces


Default Protocol Storm Protection Configuration

Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.

How to Configure Protocol Storm Protection

Enabling Protocol Storm Protection

SUMMARY STEPS

    1.    configure terminal

    2.    psp {arp | dhcp | igmp} pps value

    3.    errdisable detect cause psp

    4.    errdisable recovery interval time

    5.    end

    6.    show psp config {arp | dhcp | igmp}


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal

    Example:
    
    Switch# configure terminal
    
    
     

    Enters global configuration mode.

     
    Step 2psp {arp | dhcp | igmp} pps value

    Example:
    
    Switch(config)# psp dhcp pps 35
    
    
     

    Configures protocol storm protection for ARP, IGMP, or DHCP.

    For value, specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second.

     
    Step 3errdisable detect cause psp


    Example:
    
    Switch(config)# errdisable detect cause psp
    
    
     

    (Optional) Enables error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port.

     
    Step 4errdisable recovery interval time


    Example:
    Switch
    
    
     

    (Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds.

     
    Step 5end


    Example:
    
    Switch(config)# end
    
    
     

    Returns to privileged EXEC mode.

     
    Step 6show psp config {arp | dhcp | igmp}


    Example:
    
    Switch# show psp config dhcp
    
    
     

    Verifies your entries.

     

    Monitoring Protocol Storm Protection

    Command Purpose
    show psp config {arp | dhcp | igmp} Verify your entries.

    Additional References

    Error Message Decoder

    Description Link

    To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

    https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

    MIBs

    MIB MIBs Link

    All supported MIBs for this release.

    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    Technical Assistance

    Description Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​support