One of the security features that are included with the Cisco Catalyst Switches is Port-Based Traffic Control. This feature manages the switch ports behavior individually in response to a type and/or amount of specified traffic.

Among others, you can configure things like behavior of a specific switch port when storm control begins, if the switch will flood unicast or multicast unidentified traffic, and even if you shut down or restrict traffic when it detects unallowed MAC addresses.

In this post we stop a little on the feature called Storm Control. This is the generation of uncontrolled traffic on the switch. An example of this traffic produces when a loop is generated between multiple layer-2 switches. All the switches flood the nework with ARP traffic without control. This leads all connected hosts to become unresponsive on the network plus the switch CPU usage shoots to 100%, which in turn generates an automatic denial of service.

With Cisco Catalyst Switches we can control all this kind of traffic by this feature. It seeks to establish limits on the ports, so when this traffic it’s detected and get over the limit we established, then the switch port will discard these packets. The switch monitors the traffic going to the bus and counts the number of packets in a second. If this count exceeds the configured threshold the traffic is discarded.

We can use 3 types of measures:

  • Percent bandwidth of the port
  • Traffic in packets per second
  • Traffic in bytes per second

This way we can, i.e. that for port Fa0/7 we limit broadcast traffic to 60% of the total port bandwidth. Or maybe only 3k bit/s. Besides we can specify how the port will behave, if it will block or will send a SNMP trap when traffic passes the threshold set up.

Very easy syntax:

switch(config-if)# storm-control action {drop | trap}

Let’s say we want port FastEthernet 0/11 to drop broadcast traffic when more than 70% of the bandwidth is consumed, and then start forwarding it again when it comes under 60%, we will go like so:

switch> en
switch# conf t
switch(config)# int f0/11
switch(config-if)# storm-control broadcast level 70 60
switch(config-if)# storm-control action drop

Now we reach the less known part of “Storm Control”. The feature known as Small-Frame Arrival Rate. There is an exception to network traffic not handled by the previous configurations, and that may led us to network congestion and saturation along the path. Those packets with VLAN tag and smaller than 67 bytes. Those are forwarded by the switch but do not trigger the storm-control counters. Since IOS 12.2(44)SE we can configure if a port will transition to error-disabled state if those Small-Frames surpass the threshold.

This has to be set up globaly first and with indivual limits for each and every port. We configure globally causes to err-disable the port and the time it will take to get out of the err-disable state.

Again, easy syntax:

switch(config)# err-disable detect cause small-frame
switch(config)# err-disable recovery cause small-frame
switch(config)# int f0/21
switch(config-if)# small-frame violation rate 5000

This is enough so far. This post was to show the Catalyst small-frame arrival capability. There is extensive documentation at www.cisco.com about Port-Based Traffic Control. You will find some more characteristics I did not mention here.