Cisco ME 3800x and ME 3600x Switches Software Configuration Guide, Cisco IOS Release 15.4(1)S

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages

Results

Updated:
January 28, 2018

Chapter: Configuring Traffic Control

Configuring Traffic Control

This chapter describes how to configure the traffic control features on the Cisco ME 3800X and ME 3600X switch.

Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.

Configuring Storm Control

Understanding Storm Control

The Cisco ME 3800X and 3600X switches support storm control on physical interfaces. When you configure storm control on an interface, it also affects traffic on Ethernet Flow Points (EFPs) configured on the interface.

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in the network configuration, and users issuing a denial-of-service attack can cause a storm.

Storm control uses one of these methods to measure traffic activity:

  • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
  • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
  • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.

When storm control is enabled, the switch monitors packets entering an interface and determines if the packet is unicast, multicast, or broadcast. The switch monitors the number of broadcast, multicast, or unicast packets received within a 200-millisecond time interval, and when a threshold for one type of traffic is reached, that type of traffic is dropped. This threshold is specified as a percentage of total available bandwidth that can be used by broadcast (multicast or unicast) traffic.

The graph in Figure 1-1 shows broadcast traffic patterns on an interface over a given period of time. The example can also be applied to multicast and unicast traffic. In this example, the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2 and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is again forwarded.

Figure 1-1 Broadcast Storm Control Example

 

The combination of the storm-control suppression level and the 200 ms time interval control the way the storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.

Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control.

The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.

You use the storm-control interface configuration commands to set the threshold value for each traffic type.

Note Storm control configuration affects traffic on both the switchport and any EVCs on the switchport.

Default Storm Control Configuration

By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.

Configuring Storm Control and Threshold Levels

You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic. However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.

Note You can configure storm control on physical interfaces or on an EtherChannel. When you configure storm control on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces.

Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode.

Step 3

storm-control { broadcast | multicast | unicast } level { rising_level [ falling_level ] | bps bps [ bps-low ] | pps pps [ pps-low ]}

Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled.

The keywords have these meanings:

  • For rising_level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port blocks traffic when the rising threshold is reached. The range is 0.00 to 100.00.
  • (Optional) For falling_level, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00.

If you set the threshold to the maximum value (100 percent), no limit is placed on the traffic. If you set the threshold to 0.0, all broadcast, multicast, and unicast traffic on that port is blocked.

  • For bps bps, specify the rising threshold level for broadcast, multicast, or unicast traffic in bits per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000. 0.
  • (Optional) For bps-low, specify the falling threshold level in bits per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.
  • For pps pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.
  • (Optional) For pps-low, specify the falling threshold level in packets per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.

For bps and pps settings, you can use metric suffixes such as k, m, and g for large number thresholds.

Step 4

storm-control action { shutdown | trap }

Specify the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.

  • Select the shutdown keyword to error-disable the port during a storm.
  • Select the trap keyword to generate an SNMP trap when a storm is detected.

Step 5

end

Return to privileged EXEC mode.

Step 6

show storm-control [ interface-id ] [ broadcast | multicast | unicast ]

Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.

Step 7

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable storm control, use the no storm-control { broadcast | multicast | unicast } level interface configuration command.

This example shows how to enable unicast storm control on a port with an 87-percent rising suppression level and a 65-percent falling suppression level:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# storm-control unicast level 87 65
 

This example shows how to enable broadcast address storm control on a port to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# storm-control broadcast level 20

Configuring Port Blocking

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.

Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.

Default Port Blocking Configuration

The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports.

Blocking Flooded Traffic on an Interface

The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.

Note You cannon configure port blocking on an interface that has a service instance configured.

Beginning in privileged EXEC mode, follow these steps to disable the flooding of unicast and Layer 2 multicast packets out of an interface:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Specify the interface to be configured, and enter interface configuration mode.

Step 3

switchport block multicast

Block unknown multicast forwarding out of the port.

Note Only pure Layer 2 multicast traffic is blocked. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.

Step 4

switchport block unicast

Block unknown unicast forwarding out of the port.

Step 5

end

Return to privileged EXEC mode.

Step 6

show interfaces interface-id switchport

Verify your entries.

Step 7

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port, use the no switchport block { multicast | unicast } interface configuration commands.

This example shows how to block unicast and Layer 2 multicast flooding on a port:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end

Configuring EVC MAC Security

You can use the Ethernet Virtual Connection (EVC) MAC security feature to restrict input to an Ethernet flow point (EFP) service instance by limiting and identifying MAC addresses of the stations allowed accessing the EFP. When you assign secure MAC addresses to a secured EFP, the EFP does not forward packets with source addresses outside the group of defined addresses.

If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that EFP is assured the full bandwidth of the port.

You can enter the mac security maximum addresses service-instance command to configure an upper limit for the number of secure MAC addresses allowed on an EFP, including permitted addresses, dynamically learned addresses, and sticky addresses. If you do not configure an upper limit, the default number of secured MAC addresses is 1.

If an EFP is configured as a secure EFP and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the EFP is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure EFP attempts to access another secure EFP, a violation is flagged.

These sections contain this conceptual and configuration information:

Understanding MAC Security

Secure MAC Addresses

You configure the maximum number of secure addresses allowed on an EFP by using the mac security maximum address value service instance configuration command.

Note If you try to set the maximum value to a number less than the number of static or sticky secure addresses already configured on a secure EFP, the command is rejected. If the number of static or sticky secure addresses configured on a secure EFP is less than the new maximum value, the command is accepted and dynamic secure addresses may get deleted to satisfy maximum number of secure address.

The switch supports these types of secure MAC addresses:

  • Static secure MAC addresses—These are manually configured by using the mac security address permits mac-address service instance configuration command. Static secure MAC addresses are stored in the address table and added to the switch running configuration.
  • Dynamic secure MAC addresses—These are dynamically learned, stored only in the address table, and removed when the switch restarts.
  • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the service instance does not need to dynamically reconfigure them.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are removed from both address table and the running configuration.

You can set the maximum number of secure MAC addresses that you can configure on a bridge domain is determined by using the mac limit max addresses bridge-domain configuration command. The range is 1 to 10000.

Security Violations

It is a security violation when one of these situations occurs:

  • The maximum number of secure MAC addresses for a secure EFP have been added to the address table, and a station whose MAC address is not in the address table attempts to access the EFP.
  • An address learned or configured on one secure EFP is seen on another secure EFP in the same bridge domain.

You can configure the EFP for one of three violation modes, based on the action to be taken if a violation occurs:

  • protect—when the number of secure MAC addresses reaches the maximum limit allowed on the EFP, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
  • restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the EFP, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
  • shutdown—a MAC security violation causes the EFP service instance to become error-disabled and to shut down immediately. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure EFP is in the error-disabled state, you can manually re-enable it using clear ethernet service instance number interface interface-id privileged EXEC command or entering the shutdown and no shutdown service instance configuration commands. This is the default mode.

Table 1-1 shows the violation mode and the actions taken when you configure a secure EFP.

 

Table 1-1 Security Violation Mode Actions

Violation Mode
Traffic is forwarded 1
Sends SNMP trap
Sends syslog message
Displays error message 2
Violation counter increments
Shuts down port

protect

No

No

No

No

No

No

restrict

No

Yes

Yes

No

Yes

No

shutdown

No

Yes

Yes

No

Yes

Yes

1.Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.

2.The switch returns an error message if you manually configure an address that would cause a security violation.

Default EVC MAC Security Configuration

 

Table 1-2 Default EVC MAC Security Configuration
Feature
Default Setting

EVC MAC security

Disabled on an EFP.

Sticky address learning

Disabled.

Maximum number of secure MAC addresses per EFP

1.

Violation mode

Shutdown. The service instance shuts down when the maximum number of secure MAC addresses is exceeded.

MAC security aging

Disabled. Aging time is 0.

Static aging is disabled.

MAC Address Security Guidelines

  • MAC security is disabled by default on an EFP. When MAC security is disabled on an EFP, you can configure MAC security functions, but they do not become operational until you enable MAC security.

A secured EFP is one on which MAC security is enabled.

A secured MAC address is one that is configured or learned.

A secured bridge domain is one on which MAC security is enabled.

  • Secured EFP learned MAC addresses are kept in both the EVC MAC security table and the system MAC address table. Secured addresses are aged out by the configured MAC security aging process.
  • When you enable MAC security on an EFP by entering the mac security service-instance configuration command, the existing MAC addresses on the EFP that were dynamically learned are removed, and configured MAC addresses and sticky MAC address entries are added to the EVC MAC security table.
  • When you remove an EFP from a bridge domain or move an EFP to a new bridge domain, all MAC addresses for the EFP are removed from the MAC address table.
  • A MAC locking condition occurs when a MAC move occurs and a MAC entry already exists for an EFP in a given bridge domain. and the same MAC address is received on a different EFP in the bridge domain. If the move takes place from one secured EFP to another secured EFP, the move is not allowed and the configured violation action occurs. A move between a secured and non-secured EFP is allowed because no violation occurs.

Enabling and Configuring EVC MAC Security

For detailed information about the commands, see the Cisco IOS Carrier Ethernet Command Reference at:

http://www.cisco.com/en/US/docs/ios-xml/ios/cether/command/ce-cr-book.html

Beginning in privileged EXEC mode, follow these steps to configure MAC security on an EFP:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Specify the interface to be configured, and enter interface configuration mode.

Step 3

switchport mode trunk

Configure the interface as a trunk port, required for EFP configuration.

Step 4

switchport trunk allowed vlan none

Configure the interface to have no allowed VLANs.

Step 5

service instance number ethernet [ name ]

Configure an EFP (service instance) and enter service instance configuration mode.

  • The number is the EFP identifier, an integer from 1 to 4000.
  • (Optional) ethernet name is the name of a previously configured Ethernet virtual connection (EVC). You do not need to use an EVC name in a service instance.

Step 6

encapsulation { default | dot1q | priority-tagged | untagged }

Configure encapsulation type for the service instance.

  • default —Configure to match all unmatched packets.
  • dot1q —Configure 802.1Q encapsulation.
  • priority-tagged —Specify priority-tagged frames, VLAN-ID 0 and CoS value of 0 to 7.
  • untagged —Map to untagged VLANs. Only one EFP per port can have untagged encapsulation.

Note You must configure encapsulation before you can configure a bridge domain. You must configure a bridge domain to be able to configure some MAC security commands.

Step 7

bridge-domain bridge-id [ split-horizon group group-id ]

Configure the bridge domain ID. The range is from 1 to 8000.

  • (Optional) split-horizon group group-id —Configure a split-horizon group. The group ID is from 1 to 3. EFPs in the same bridge domain and split-horizon group cannot forward traffic between each other, but can forward traffic between other EFPs in the same bridge domain but not in the same split-horizon group.

Note You must configure a bridge domain to see the mac security aging static command or to configure a MAC security maximum address value of more than one.

Step 8

mac security

Enable MAC security on the EFP.

Step 9

mac security address { permit | deny } mac-address

(Optional) Configure the specified MAC address to be permitted or denied on the service instance.

Step 10

mac security maximum addresses value

(Optional) Set the maximum number of secure MAC addresses allowed on the service instance. The range is 1 to 1000. Entering a value of 0 disables dynamic MAC address learning. The maximum number of secure MAC addresses on an EFP is 1000.The maximums number on a bridge domain or on a switch depends on the feature license.

Step 11

mac security violation { protect | restrict }

(Optional) Set the violation response on the service instance. If no response is configured the default response is to errdisable (shut down) the service instance when a MAC security violation occurs.

  • protect —When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
  • restrict —When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Step 12

mac security aging { static | sticky | time aging-time [inactivity]

(Optional) Configure MAC security aging characteristics for the service instance.

  • static—Specify that the configured aging time applies to permitted MAC addresses. By default, this only affects dynamically learned addresses.
  • sticky—Specify that the aging time also applies to dynamically learned sticky addresses.
  • time aging-time —Configure the aging time of addresses in the MAC table in minutes. The range is 1 to 1440 minutes.
  • (Optional) inactivity—Specify that the aging time is based on inactivity in sending hosts and not on an absolute time, calculated from the last frame sent and not the first frame.

Step 13

mac security sticky [address mac-address]

(Optional) Enable the sticky feature on a service instance. This means that MAC addresses that are learned dynamically on the EFP are kept persistent across line transitions and device reloads.

  • (Optional) address mac-address—Adds the specified MAC address as a sticky address for the EFP. You must enable the sticky feature before you can configure a sticky MAC address.

Step 14

end

Return to privileged EXEC mode.

Step 15

show ethernet service instance number interface interface-id mac security [ address | last violation | statistics }

Verify your entries.

Step 16

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no form of the commands to remove the configuration and return to the default configuration.

This example shows how to enable mac security on a service instance, permit the specified MAC address, and to set the maximum number of secure addresses to 50. MAC security aging time is 750 minutes. The violation mode is the default (errdisable) and sticky learning is enabled.

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport mode allowed VLAN none
Switch (config-if)# service instance 2 Ethernet
Switch (config-if-srv)# encapsulation dot1q
Switch (config-if-srv)# bridge-domain 2
Switch (config-if-srv)# mac security
Switch (config-if-srv)# mac security permit mac-address 0000.0000.0003
Switch (config-if-srv)# mac security maximum addresses 50
Switch (config-if-srv)# mac security aging time 750
Switch (config-if-srv)# mac security sticky
Switch (config-if-srv)# end
 

You can verify the previous commands by entering the show ethernet service instance number interface interface-id mac security privileged EXEC command.

Displaying Traffic Control Settings

 

Table 1-3 Commands for Displaying Traffic Control Status and Configuration

Command
Purpose

show ethernet service instance number interface interface-id mac security

Displays information about MAC security configured on the service instance.

show interfaces [interface-id] switchport

Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking settings.

show storm-control [ interface-id ] [ broadcast | multicast | unicast ]

Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco