What Are Broadcast Storms?

One security concern related to switchport flooding is known as a broadcast storm. When excessive broadcast traffic occurs in a network, all devices within the broadcast domain can be negatively affected. In such cases, the switch must flood all broadcast frames to the interfaces within the same VLAN, causing hosts to process these frames, such as ARP requests.

Excessive broadcast traffic can stem from malicious software or a malfunctioning network interface card (NIC). To mitigate this risk, Cisco switches provide a feature called Storm Control. This feature allows you to set a threshold on interfaces, limiting the amount of broadcast, multicast, or unknown unicast traffic, and specifying an action to take when the threshold is supassed.

Here's an example of how to configure Storm Control to prevent switching broadcast storms in your network:

SW1(config-if)#storm-control ?
  action     Action to take for storm-control
  broadcast  Broadcast address storm control
  multicast  Multicast address storm control
  unicast    Unicast address storm control

As mentioned previously, we can set an action and threshold for broadcast, multicast, or unknown unicast traffic. Let's take a look at some broadcast traffic:

SW1(config)#interface FastEthernet0/1
SW1(config-if)#storm-control broadcast level ?
  <0.00 - 100.00>  Enter rising threshold
  bps              Enter suppression level in bits per second
  pps              Enter suppression level in packets per second

We have a few options for configuring the Storm Control feature. When using the rising threshold, the value you set is a percentage of the interface bandwidth. The other two options are based on bits per second (bps) or packets per second (pps). Let's begin with a straightforward example:

SW1(config-if)#storm-control broadcast level 30

Whenever broadcast traffic exceeds 30% of the interface bandwidth, an action will be triggered. While I haven't yet configured a specific action, the default behavior will be to drop any traffic that exceeds this 30% threshold.

Let's look at an example for some multicast traffic:

SW1(config-if)#storm-control multicast level bps ?
  <0.0 - 10000000000.0>[k|m|g]  Enter rising threshold

Now, I can select a threshold in BPS. You can use "K," "M," or "G" to indicate Kbps, Mbps, or Gbps. Let's pick one:

SW1(config-if)#storm-control multicast level bps 10m

Once multicast traffic exceeds 10 Mbps, it will be dropped. In the previous examples, I configured only a rising threshold, meaning that any traffic exceeding this limit will be discarded; however, when the traffic falls below this threshold, it will be allowed again. We also have the option to use a falling threshold.

SW1(config-if)#storm-control unicast level pps 30m 20m

Here's an example for handling unknown unicast traffic using packets per second (pps). The rising threshold is set at 30 Mbps, so any traffic above this limit will be dropped. The falling threshold is 20 Mbps, meaning that the traffic must remain below this level before it is permitted again.

Finally, we can also customize the action taken when the thresholds are exceeded:

SW1(config-if)#storm-control action ?
  shutdown  Shutdown this interface if a storm occurs
  trap      Send SNMP trap if a storm occurs

By default, the exceeding traffic is dropped, but we can also choose to shutdown the interface or to send an SNMP trap.

SW1(config-if)#storm-control action trap

To verify our work, we can use the show storm-control command, as such:

SW1#show storm-control
Interface  Filter State   Upper        Lower        Current
---------  -------------  -----------  -----------  ----------
Fa0/1      Forwarding        30.00%       30.00%        0.00%

what is an snmp trap?

+What is an SNMP Trap?

An SNMP (Simple Network Management Protocol) trap is a type of message sent from a network device to a management system, typically to notify it of specific events or changes in the device's status. Unlike regular SNMP polling, where the management system actively requests information from devices, traps are unsolicited messages that provide near-real-time alers about critical issues. For example, a router might send a trap to inform the network management system of a link failure, high CPU usage, or security breaches. This allows for quicker response times and more efficient network management.

How Traps Are Meaningful

Traps are particularly useful in maintaining network reliability and performance, as they enable you to monitor devices without having to continuously check their status. The traps contain relevant information about the event, such as the type of event, the severity level, and sometimes additional context. By configuring SNMP traps, network administrators can ensure that they are promptly alerted to potential problems, enabling proactive troubleshooting and minimizing downtime. Overall, SNMP traps play a crucial role in effective network monitoring and management.

Rate This Article

Thanks for reading: What Are Broadcast Storms?, Sorry, my English is bad:)