Cisco Nexus 7000 Series NX-OS Security Configuration Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure traffic storm control on the Cisco NX-OS device.
This chapter includes the following sections:
Finding Feature
Information
Your software release might not support all the features documented in this module. For the latest caveats and feature information,
see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to
see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature
History table in this chapter.
Information About Traffic Storm Control
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. You can use
the traffic storm control feature to prevent disruptions on Layer 2 ports by a
broadcast, multicast, or unicast traffic storm on physical interfaces.
Traffic storm control (also called traffic suppression) allows you to monitor the levels of the incoming broadcast, multicast,
and unicast traffic over a 10-millisecond interval. During this interval, the traffic level, which is a percentage of the
total available bandwidth of the port, is compared with the traffic storm control level that you configured. When the ingress
traffic reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until
the interval ends.
This table shows the broadcast traffic patterns on a Layer 2 interface over a given interval. In this example, traffic storm
control occurs between times T1 and T2 and between T4 and T5. During those intervals, the amount of broadcast traffic exceeded
the configured threshold.
The traffic storm control threshold numbers and the time interval allow the traffic storm control algorithm to work with different
levels of granularity. A higher threshold allows more packets to pass through.
Traffic storm control on the Cisco NX-OS device is implemented in the hardware. The traffic storm control circuitry monitors
packets that pass from a Layer 2 interface to the switching bus. Using the Individual/Group bit in the packet destination
address, the circuitry determines if the packet is unicast or broadcast, tracks the current count of packets within the 10-millisecond
interval, and filters out subsequent packets when a threshold is reached.
Traffic storm control uses a bandwidth-based method to measure traffic. You set the percentage of total available bandwidth
that the controlled traffic can use. Because packets do not arrive at uniform intervals, the 10-millisecond interval can affect
the behavior of traffic storm control.
The following are examples of traffic storm control behavior:
If you enable broadcast traffic storm control, and broadcast traffic exceeds the level within the 10-millisecond interval,
traffic storm control drops all broadcast traffic until the end of the interval.
If you enable broadcast and multicast traffic storm control, and the combined broadcast and multicast traffic exceeds the
level within the 10-millisecond interval, traffic storm control drops all broadcast and multicast traffic until the end of
the interval.
If you enable broadcast and multicast traffic storm control, and broadcast traffic exceeds the level within the 10-millisecond
interval, traffic storm control drops all broadcast and multicast traffic until the end of the interval.
If you enable broadcast and multicast traffic storm control, and multicast traffic exceeds the level within the 10-millisecond
interval, traffic storm control drops all broadcast and multicast traffic until the end of the interval.
By default, the Cisco NX-OS software takes no corrective action when the traffic exceeds the configured level. However, you
can configure an Embedded Event Management (EEM) action to error-disable an interface if the traffic does not subside (drop
below the threshold) within a certain time period. For information on configuring EEM, see the
Cisco Nexus 7000 Series NX-OS System Management Command Reference.
Virtualization
Support for Traffic Storm Control
Traffic storm
control configuration and operation are local to the virtual device context
(VDC).
For more information
on VDCs, see the
Cisco Nexus
7000 Series NX-OS Virtual Device Context Configuration Guide.
Licensing Requirements for Traffic Storm Control
The following table shows the licensing requirements for this feature:
Product
License Requirement
Cisco NX-OS
Traffic storm control requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system
images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the
Cisco NX-OS Licensing Guide.
Guidelines and
Limitations for Traffic Storm Control
When configuring the
traffic storm control level, note the following guidelines and limitations:
Only one suppression level is shared by all three suppression modes i.e., unicast, multicast, and broadcast. For example,
if you set the broadcast level to 30 and then set the multicast level to 40, both levels are enabled and set to 40.
You can
configure traffic storm control on a port-channel interface.
Do not configure
traffic storm control on interfaces that are members of a port-channel
interface. Configuring traffic storm control on interfaces that are configured
as members of a port channel puts the ports into a suspended state.
When you use the storm-control unicast level percentage command in a module, both the unknown and known unicast traffic gets discarded after reaching the threshold value.
Traffic storm control on all Cisco FEX devices connected to Cisco
Nexus 7000 series switches has following guidelines and limitations:
Traffic storm control is not supported on HIF ports.
Traffic storm control is supported only on NIF ports.
Specify the
level as a percentage of the total interface bandwidth:
The level
can be from 0 to 100.
The optional
fraction of a level can be from 0 to 99.
100 percent
means no traffic storm control.
0.0 percent
suppresses all traffic.
Because of hardware
limitations and the method by which packets of different sizes are counted, the
level percentage is an approximation. Depending on the sizes of the frames that
make up the incoming traffic, the actual enforced level might differ from the
configured level by several percentage points.
Note
If you are familiar with the Cisco IOS CLI, be aware that the
Cisco NX-OS commands for this feature might differ from the Cisco IOS commands
that you would use.
Default Settings for Traffic Storm Control
This table lists the default settings for traffic storm control parameters.
Table 1. Default Traffic Storm Control Parameters
Parameters
Default
Traffic storm control
Disabled
Threshold percentage
100
Configuring Traffic
Storm Control
You can set the
percentage of total available bandwidth that the controlled traffic can use.
Note
Traffic storm
control uses a 10-millisecond interval that can affect the behavior of traffic
storm control.