10 Cisco Storm Control Best Practices

Cisco storm control is a feature that can be used to monitor and control traffic on a network. It is used to prevent broadcast storms and multicast storms, which can cause network disruptions.

Storm control can be configured on a per-port basis, and it can be applied to all traffic, or only to specific traffic types. When configuring storm control, there are a few best practices to keep in mind.

1. Use Storm Control on all switch ports

Storm Control is a feature that can help protect your network from broadcast, multicast, and unicast traffic storms. By default, Storm Control is disabled on all switch ports. When enabled, Storm Control can help reduce the amount of traffic that flows through a port by monitoring for traffic spikes and then blocking or rate-limiting the offending traffic.

While Storm Control is a valuable tool, it’s important to remember that it’s not a silver bullet. In some cases, it may be necessary to use other methods, such as access control lists (ACLs), to further restrict traffic on a port.

Additionally, it’s important to note that Storm Control only works on physical ports. It cannot be used to protect against traffic storms that originate from within the switch itself (such as from a malicious user who has gained access to the switch).

2. Configure the storm control action to be shutdown

If the storm control action is not shutdown, then when a port goes into err-disable state due to a storm, it will automatically be re-enabled after the timeout period. This can cause a continuous loop of the port going into err-disable state and then being re-enabled, which is obviously not desirable.

By configuring the storm control action to be shutdown, the port will remain in err-disable state until it is manually re-enabled, which gives you a chance to investigate the cause of the storm and take appropriate corrective action.

3. Set the broadcast level at 10% of the port bandwidth

Broadcast storms are caused by a continuous stream of broadcast traffic that overwhelze the causes of the storm and take steps to mitigate them.

One way to prevent or reduce the severity of a broadcast storm is to set the storm control broadcast level at 10% of the port bandwidth. This will help to ensure that only a small amount of broadcast traffic is allowed through, reducing the chances of a storm occurring.

It’s also important to note that you should never set the storm control broadcast level higher than 100%. Doing so could result in legitimate traffic being dropped, which could lead to communication issues.

4. Set the multicast level at 5% of the port bandwidth

When a port starts receiving too much multicast traffic, it can quickly become overloaded. If the storm control level is set too low, the port may start dropping packets, which can lead to communication problems.

However, if the storm control level is set too high, the port will start blocking all multicast traffic, even if there’s only a small amount of traffic. This can cause problems for applications that rely on multicast traffic, such as video conferencing or IPTV.

By setting the storm control level at 5% of the port bandwidth, you can strike a balance between these two extremes and help ensure that your port remains operational even during periods of heavy multicast traffic.

5. Set the unicast level at 1% of the port bandwidth

If the unicast level is set too low, normal traffic can be considered a storm and blocked. If it’s set too high, then actual storms might not be caught. By setting it at 1% of the port bandwidth, you strike a good balance between the two.

6. Verify that you have configured storm control correctly

If you have not configured storm control correctly, your switch could continue to forward traffic even when it is experiencing a high level of broadcast, multicast, or unicast traffic. This could result in network performance issues or even outages.

To verify that you have configured storm control correctly, use the show running-config interface command. This command will display the storm-control settings for the specified interface.

Here is an example of the output of this command:

interface GigabitEthernet0/1
storm-control broadcast level 70
storm-control multicast level 40

This output shows that the broadcast storm control level has been set to 70 percent and the multicast storm control level has been set to 40 percent.

You can also use the show interfaces storm-control command to verify the storm control configuration. This command will display the status of storm control on all interfaces.

Here is an example of the output of this command:

GigabitEthernet0/1 is up, line protocol is up (connected)
Broadcast storm control is enabled with level 70
Multicast storm control is enabled with level 40

This output shows that storm control is enabled on the GigabitEthernet0/1 interface, and the broadcast and multicast storm control levels are set to 70 percent and 40 percent, respectively.

7. Monitor your network for traffic spikes

A traffic spike can indicate a denial of service (DoS) attack, which is a type of malicious activity that can overload your network and prevent legitimate users from accessing your resources. By monitoring for traffic spikes, you can quickly identify when an attack is happening and take steps to mitigate it.

There are a few different ways to monitor for traffic spikes. One is to use a network monitoring tool like SolarWinds Network Performance Monitor (NPM). NPM provides real-time visibility into your network traffic, so you can quickly identify when there’s unusual activity.

Another way to monitor for traffic spikes is to set up alerts in your Cisco devices. You can configure your devices to send an alert when traffic exceeds a certain threshold. This can be helpful in identifying attacks as they’re happening.

Finally, you can also review your logs regularly to look for signs of unusual activity. Many attacks will leave behind clues in your logs, so this can be a valuable way to detect them.

8. Use a combination of tools to monitor and alert

If you’re only using a single tool to monitor for storms, you may miss something. For example, if you’re only monitoring switch port traffic with SNMP, you could miss a storm that’s happening on another part of the network.

Using a combination of tools gives you a better chance of catching all storms, and it also allows you to cross-check results to confirm storms. For example, you could use both SNMP and NetFlow to monitor switch port traffic, and if you see a spike in traffic in both tools, you can be confident that there’s a storm happening.

Configuring alerts is also important, so you can be notified as soon as a storm is detected. That way, you can take action quickly to mitigate the storm and minimize its impact on the network.

9. Review your configuration regularly

As your network grows, the traffic patterns on your network will change. This means that the storm control settings that were once adequate may no longer be sufficient. By reviewing your configuration regularly, you can ensure that your storm control settings are still appropriate for your network.

Additionally, as new technologies are introduced, they may require different storm control settings. For example, if you add a new type of device to your network that generates a lot of broadcast traffic, you may need to adjust your storm control settings to account for this.

Finally, it’s important to review your configuration regularly because the way storm control works may change over time. As Cisco introduces new features and updates the way storm control works, you’ll need to update your configuration to take advantage of these changes.

10. Document your changes

If you make a change to your storm control configuration and it doesn’t work as expected, being able to quickly revert back to a known-good state is crucial. By documenting your changes, you can easily roll back any unwanted changes.

Additionally, if you ever need to troubleshoot an issue with your storm control configuration, having a clear and concise documentation of what has been changed will save you a lot of time and headache.