- Preface
- Using the Command-Line Interface
- Configuring Cisco IOS Configuration Engine
- Assigning the Switch IP Address and Default Gateway
- Managing Switch Stacks
- Clustering Switches
- Administering the System
- Configuring SDM Templates
- Configuring Stack Power
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring MACsec Encryption
- Configuring Web-Based Authentication
- Configuring Cisco TrustSec
- Configuring Interface Characteristics
- Configuring VLANs
- Configuring VTP
- Configuring Voice VLANs
- Configuring Private VLANs
- Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
- Configuring Spanning Tree Protocol
- Configuring Multiple Spanning-Tree Protocol
- Configuring Optional Spanning-Tree Features
- Configuring Bidirection Forwarding Detection
- Configuring Resilient Ethernet Protocol
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring MLD Snooping
- Configuring the Cisco Discovery Protocol
- Configuring Port-Based Traffic Control
- Configuring LLDP, LLDP-MED, and Wired Location Service
- Configuring UniDirectional Link Detection
- Configuring SPAN and RSPAN
- Configuring RMON
- Configuring System Message Logging and Smart Logging
- Configuring Simple Network Management Protocol
- Configuring Embedded Event Manager
- Information about Network Security with ACLs
- Configuring QoS
- Configuring IPv6 ACL
- Configuring EtherChannels
- Configuring Link-State Tracking
- Configuring Telepresence E911 IP Phone Support
- Configuring IP Unicast Routing
- Configuring IPv6 Unicast Routing
- Implementing IPv6 Multicast
- Configuring HSRP and VRRP
- Configuring Service Level Agreements
- Configuring Enhanced Object Tracking
- Configuring Cache Services Using the Web Cache Communication Protocol
- Configuring MSDP
- Configuring Fallback Bridging
- Troubleshooting the Software Configuration
- Configuring Online Diagnostics
- Working with the Cisco IOS File System, Configuration Files, and Software Images
- Index
- Finding Feature Information
- Overview of Port-Based Traffic Control
- Configuring Storm Control
Configuring Port-Based Traffic Control
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Overview of Port-Based Traffic Control
Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block packets at the port level in response to specific traffic conditions. The following port-based traffic control features are supported in the Cisco IOS Release for which this guide is written:
Configuring Storm Control
- Information About Storm Control
- How to Configure Storm Control
- Configuration Examples for Configuring Storm Control
Information About Storm Control
Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.
How Traffic Activity is Measured
Storm control uses one of these methods to measure traffic activity:
Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.
Traffic Patterns
Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2 and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is again forwarded.
The combination of the storm-control suppression level and the 1-second time interval controls the way the storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.
 Note | Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control. |
You use the storm-control interface configuration commands to set the threshold value for each traffic type.
How to Configure Storm Control
Configuring Storm Control and Threshold Levels
You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.
Note | Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. |
Follow these steps to storm control and threshold levels:
Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces.
1.
enable
4.
storm-control {broadcast |
multicast |
unicast}
level {level [level-low] |
bps
bps [bps-low] |
pps
pps [pps-low]}
5.
storm-control action
{shutdown |
trap}
7.
show storm-control
[interface-id] [broadcast |
multicast |
unicast]
DETAILED STEPS
Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment.
You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the threshold) are dropped since the port is error disabled.
1.
enable
3.
errdisable detect
cause small-frame
4.
errdisable
recovery interval
interval
5.
errdisable
recovery cause small-frame
7.
small-frame
violation-rate
pps
9.
show
interfaces
interface-id
11.
copy running-config
startup-config
DETAILED STEPS
Configuration Examples for Configuring Storm Control
Example: Configuring Storm Control and Threshold Levels
This example shows how to enable broadcast address storm control on a port to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval:
Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# storm-control broadcast level 20
Configuring Protected Ports
Information About Protected Ports
Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Protected ports have these features:
-
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
-
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack.
Default Protected Port Configuration
Protected Ports Guidelines
You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports.
How to Configure Protected Ports
Configuring a Protected Port
Protected ports are not pre-defined. This is the task to configure one.
DETAILED STEPS
Configuring Port Blocking
Information About Port Blocking
Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
Note | With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked. |
How to Configure Port Blocking
Blocking Flooded Traffic on an Interface
The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
DETAILED STEPS
Configuring Port Security
- Prerequisites for Port Security
- Restrictions for Port Security
- Information About Port Security
- How to Configure Port Security
- Configuration Examples for Configuring Port Security
- Configuring Protocol Storm Protection
- Monitoring Protocol Storm Protection
Prerequisites for Port Security
Note | If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface, the command is rejected. |
Restrictions for Port Security
The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
Information About Port Security
Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.
Types of Secure MAC Addresses
The switch supports these types of secure MAC addresses:
Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
Sticky Secure MAC Addresses
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. The interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:
protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
NoteWe do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
shutdown—a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs
| 1 | 2 | |||||
|---|---|---|---|---|---|---|
| 3 |
Default Port Security Configuration
Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. |
|
Port Security Configuration Guidelines
-
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a dynamic access port.
-
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
-
Note
Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed.
-
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
-
When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend interface configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access VLAN and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
-
When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.
-
The switch does not support port security aging of sticky secure MAC addresses.
|
Dynamic-access port 6 |
|
|
Voice VLAN port 7 |
|
|
Private VLAN port |
No |
Port Security Aging
You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port:
Port Security and Switch Stacks
When a switch joins a stack, the new switch will get the configured secure addresses. All dynamic secure addresses are downloaded by the new stack member from the other stack members.
When a switch (either the active switch or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table.
How to Configure Port Security
Enabling and Configuring Port Security
This task restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:
1.
enable
4.
switchport mode {access |
trunk}
5.
switchport voice
vlan
vlan-id
7.
switchport port-security
[maximum
value [vlan {vlan-list | {access |
voice}}]]
8.
switchport port-security
violation {protect |
restrict |
shutdown |
shutdown vlan}
9.
switchport port-security
[mac-address
mac-address [vlan {vlan-id | {access |
voice}}]
10.
switchport
port-security mac-address sticky
11.
switchport port-security
mac-address sticky [mac-address |
vlan {vlan-id | {access |
voice}}]
15.
copy running-config
startup-config
DETAILED STEPS
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. | ||||
| Step 2 | configure
terminal
Example: Switch# configure terminal | |||||
| Step 3 | interface
interface-id
Example: Switch(config)# interface gigabitethernet1/0/1 |
Specifies the interface to be configured, and enter interface configuration mode. | ||||
| Step 4 | switchport mode {access |
trunk}
Example: Switch(config-if)# switchport mode access |
Sets the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port. | ||||
| Step 5 | switchport voice
vlan
vlan-id
Example: Switch(config-if)# switchport voice vlan 22 | |||||
| Step 6 | switchport
port-security
Example: Switch(config-if)# switchport port-security | |||||
| Step 7 | switchport port-security
[maximum
value [vlan {vlan-list | {access |
voice}}]]
Example: Switch(config-if)# switchport port-security maximum 20 |
(Optional) Sets the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is set by the active Switch Database Management (SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. (Optional) vlan—sets a per-VLAN maximum value Enter one of these options after you enter the vlan keyword:
| ||||
| Step 8 | switchport port-security
violation {protect |
restrict |
shutdown |
shutdown vlan}
Example: Switch(config-if)# switchport port-security violation restrict |
(Optional) Sets the violation mode, the action to be taken when a security violation is detected, as one of these:
| ||||
| Step 9 | switchport port-security
[mac-address
mac-address [vlan {vlan-id | {access |
voice}}]
Example: Switch(config-if)# switchport port-security mac-address 00:A0:C7:12:C9:25 vlan 3 voice |
(Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
(Optional) vlan—sets a per-VLAN maximum value. Enter one of these options after you enter the vlan keyword:
| ||||
| Step 10 | switchport
port-security mac-address sticky
Example: Switch(config-if)# switchport port-security mac-address sticky | |||||
| Step 11 | switchport port-security
mac-address sticky [mac-address |
vlan {vlan-id | {access |
voice}}]
Example: Switch(config-if)# switchport port-security mac-address sticky 00:A0:C7:12:C9:25 vlan voice |
(Optional) Enters a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration.
(Optional) vlan—sets a per-VLAN maximum value. Enter one of these options after you enter the vlan keyword:
| ||||
| Step 12 | end
Example: Switch(config)# end | |||||
| Step 13 | show
port-security
Example: Switch# show port-security | |||||
| Step 14 | show running-config
Example: Switch# show running-config | |||||
| Step 15 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Enabling and Configuring Port Security Aging
Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis.
1.
enable
4.
switchport port-security
aging {static |
time
time |
type {absolute |
inactivity}}
6.
show port-security
[interface
interface-id] [address]
8.
copy running-config
startup-config
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. | ||
| Step 2 | configure
terminal
Example: Switch# configure terminal | |||
| Step 3 | interface
interface-id
Example: Switch(config)# interface gigabitethernet1/0/1 |
Specifies the interface to be configured, and enter interface configuration mode. | ||
| Step 4 | switchport port-security
aging {static |
time
time |
type {absolute |
inactivity}}
Example: Switch(config-if)# switchport port-security aging time 120 |
Enables or disable static aging for the secure port, or set the aging time or type.
Enter static to enable aging for statically configured secure addresses on this port. For time, specifies the aging time for this port. The valid range is from 0 to 1440 minutes. For type, select one of these keywords:
| ||
| Step 5 | end
Example: Switch(config)# end | |||
| Step 6 | show port-security
[interface
interface-id] [address]
Example: Switch# show port-security interface gigabitethernet1/0/1 | |||
| Step 7 | show running-config
Example: Switch# show running-config | |||
| Step 8 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Configuration Examples for Configuring Port Security
Example: Enabling and Configuring Port Security
This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky
This example shows how to configure a static secure MAC address on VLAN 3 on a port:
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3
This example shows how to configure a static secure MAC address on VLAN 3 on a port:
Switch(config)# interface tengigabitethernet1/0/1 Switch(config-if)# switchport access vlan 21 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Switch(config-if)# switchport port-security mac-address 0000.0000.0003 Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice
Example: Enabling and Configuring Port Security Aging
This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface:
Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static
Configuring Port Security and Private VLANs
Port security allows an administrator to limit the number of MAC addresses learned on a port or to define which MAC addresses can be learned on a port.
1.
enable
4.
switchport mode
private-vlan {host |
promiscuous}
7.
show port-security
[interface
interface-id] [address]
9.
copy running-config
startup-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 | configure
terminal
Example: Switch# configure terminal | |
| Step 3 | interface
interface-id
Example: Switch(config)# interface gigabitethernet 1/0/8 |
Specifies the interface to be configured, and enter interface configuration mode. |
| Step 4 | switchport mode
private-vlan {host |
promiscuous}
Example: Switch(config-if)# switchport mode private-vlan promiscuous | |
| Step 5 | switchport
port-security
Example: Switch(config-if)# switchport port-security | |
| Step 6 | end
Example: Switch(config)# end | |
| Step 7 | show port-security
[interface
interface-id] [address]
Example: Switch# show port-security interface gigabitethernet1/0/8 | |
| Step 8 | show running-config
Example: Switch# show running-config | |
| Step 9 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Configuring Protocol Storm Protection
- Information About Protocol Storm Protection
- How to Configure Protocol Storm Protection
- Enabling Protocol Storm Protection
Information About Protocol Storm Protection
Protocol Storm Protection
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:
Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.
Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the virtual port.
Note | Excess packets are dropped on no more than two virtual ports. Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces |
Default Protocol Storm Protection Configuration
Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.
How to Configure Protocol Storm Protection
Enabling Protocol Storm Protection
1.
enable
3. psp {arp | dhcp | igmp} pps value
4.
errdisable detect
cause psp
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 | configure
terminal
Example: Switch# configure terminal | |
| Step 3 | psp {arp |
dhcp |
igmp} pps
value
Example: Switch(config)# psp dhcp pps 35 |
Configures protocol storm protection for ARP, IGMP, or DHCP. For value, specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second. |
| Step 4 | errdisable detect
cause psp
Example: Switch(config)# errdisable detect cause psp |
(Optional) Enables error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port. |
| Step 5 | errdisable
recovery interval
time
Example:
Switch
|
(Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds. |
| Step 6 | end
Example: Switch(config)# end | |
| Step 7 | show psp config {arp |
dhcp |
igmp}
Example: Switch# show psp config dhcp |
Enabling Protocol Storm Protection
1.
enable
3. psp {arp | dhcp | igmp} pps value
4.
errdisable detect
cause psp
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 | configure
terminal
Example: Switch# configure terminal | |
| Step 3 | psp {arp |
dhcp |
igmp} pps
value
Example: Switch(config)# psp dhcp pps 35 |
Configures protocol storm protection for ARP, IGMP, or DHCP. For value, specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second. |
| Step 4 | errdisable detect
cause psp
Example: Switch(config)# errdisable detect cause psp |
(Optional) Enables error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port. |
| Step 5 | errdisable
recovery interval
time
Example:
Switch
|
(Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds. |
| Step 6 | end
Example: Switch(config)# end | |
| Step 7 | show psp config {arp |
dhcp |
igmp}
Example: Switch# show psp config dhcp |
Monitoring Protocol Storm Protection
| Command | Purpose |
|---|---|
| show psp config {arp | dhcp | igmp} | Verify your entries. |
Feedback