Protocol Storm Protection

Restrictions for Configuring Protocol Storm Protection

Virtual port error disabling is not supported for EtherChannel .

Information About Protocol Storm Protection

When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:

  • Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.

  • Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.

  • CLI is slow or unresponsive.

Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.

When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if necessary.

For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the virtual port.


Note


Excess packets are dropped on no more than two virtual ports.


Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.

How to Enable Protocol Storm Protection

To enable protocol storm protection, perform this procedure:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device configure terminal

Enters global configuration mode.

Step 3

psp {arp | dhcp | igmp} pps value

Example:

Device(config)# psp dhcp pps 35

Configures protocol storm protection for ARP, IGMP, or DHCP.

value : Specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second.

Step 4

errdisable detect cause psp

Example:

Device(config)# errdisable detect cause psp

(Optional) Enables error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port.

Step 5

errdisable recovery interval time

Example:

Device(config)# errdisable recovery interval 100

(Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds.

Step 6

end

Example:

Device(config-line)# end

Returns to privileged EXEC mode.

Step 7

show psp config {arp | dhcp | igmp}

Example:

Device# show psp config dhcp

Verifies your entries.

Monitoring Protocol Storm Protection

Table 1. Commands for Verfying Entries
Command Purpose

show psp config {arp | dhcp | igmp}

Verify your entries.

Feature History for Protocol Storm Protection

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS Release 15.2(7)E3k

Protocol Storm Protection

Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.