Restrictions for Configuring Protocol Storm Protection
Virtual port error disabling is not supported for EtherChannel .
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Virtual port error disabling is not supported for EtherChannel .
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:
Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.
Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.
CLI is slow or unresponsive.
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the virtual port.
![]() Note |
Excess packets are dropped on no more than two virtual ports. |
Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.
To enable protocol storm protection, perform this procedure:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
psp {arp | dhcp | igmp} pps value Example:
|
Configures protocol storm protection for ARP, IGMP, or DHCP. value : Specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second. |
Step 4 |
errdisable detect cause psp Example:
|
(Optional) Enables error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port. |
Step 5 |
errdisable recovery interval time Example:
|
(Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds. |
Step 6 |
end Example:
|
Returns to privileged EXEC mode. |
Step 7 |
show psp config {arp | dhcp | igmp} Example:
|
Verifies your entries. |
Command | Purpose |
---|---|
show psp config {arp | dhcp | igmp} |
Verify your entries. |
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Release |
Feature |
Feature Information |
---|---|---|
Cisco IOS Release 15.2(7)E3k |
Protocol Storm Protection |
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. |
Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.