Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.

Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Measured Traffic Activity

Storm control uses one of these methods to measure traffic activity:

• Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

• Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received

With each method, when the rising threshold is reached, the port blocks only the excessive traffic above the threshold. If the falling suppression level is not specified, the device blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

Note

When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol frames, are blocked. However, the device does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.

Traffic Patterns

Broadcast traffic exceeded the configured threshold during the intervals from T1 to T2 and from T4 to T5. When the specified traffic exceeds this threshold, storm control drops the excess traffic only during the interval when the storm occurs. In the following interval (such as T3), if broadcast traffic is below the threshold, it is forwarded as usual.

The combination of the storm-control suppression level and the 1-second time interval controls the way the storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.

Note	Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control.

You use the storm-control interface configuration commands to set the threshold value for each traffic type.

• Broadcast Traffic: Broadcast packets are sent to all devices in the same broadcast domain (e.g., ARP requests, DHCP Discover messages). Excessive broadcast traffic can lead to a broadcast storm, overwhelming network devices and causing degraded performance.

• Multicast Traffic: Multicast packets are sent to a group of devices that have explicitly joined a multicast group (e.g., video streaming or IP telephony). If misconfigured or excessively generated, multicast traffic can cause a multicast storm, affecting network performance.

• Unicast Traffic: Unicast packets are sent to a specific MAC address. When a switch receives these packets, it checks its MAC address table to identify the corresponding port within the VLAN and forwards the packets accordingly. If the number of unicast packets exceeds the configured storm control threshold, storm control automatically filters and drops the excess packets to prevent network congestion.

• Unknown Unicast Traffic: Unknown unicast packets are destined for a specific MAC address, but the switch does not have the destination MAC in its MAC address table. These packets are flooded to all ports in the VLAN. Excessive unknown unicast traffic can lead to an unknown unicast storm, consuming bandwidth and overwhelming devices.