Security - storm control algorithm

Cisco's Storm Control feature is used to protect network devices from being overwhelmed in the event of a broadcast or multicast storm. The feature can be used to limit the number of received broadcast, multicast, and unicast packets that will be processed so that CPU and memory resources will not be overwhelmed.

As storm control is a feature that is found on Cisco switches, broadcast and multicast traffic is typically identified using the destination MAC address in the Ethernet header of the frame. When a broadcast MAC address or a multicast MAC address is identified in the destination MAC address field, the storm control is applied to that frame.

When configured on a switch, there are two thresholds that can be configured:

  • rising threshold
  • falling threshold

These thresholds can be configured either using a value in bits per second (bps), packets per second (pps), or a percentage of the bandwidth of the interface. These parameters are configured like so on an interface:

SW1(config)#interface FastEthernet0/1 SW1(config-if)#storm-control broadcast level 30 20

The above configuration enables storm control for broadcast frames on the Fa0/1 interface with a rising threshold of 30% and a falling threshold of 20% of the interface's bandwidth.

When the rising threshold in broadcast frames is reached, all subsequent broadcast frames are dropped completely. However, the interface is still measuring the arrival of broadcast frames and is taking into account the number of bytes that are being received even though they are being dropped. A sampling of the arrived frames is taken at a frequency of once a second.

Frames will continue to be dropped until the arriving frame rate falls below the falling threshold.