Sunday, December 31, 2017

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features:2.1.f Storm control

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

          -    Storm Control prevents LAN ports from being disrupted by broadcast, multicast or unicast traffic storms on physical interface
          -    Storms can occur for multiple reasons including network misconfiguration, users issuing denial-of-service attacks
          -    Storm control level is a percentage of the total available bandwidth of the port
          -    Each port has a single traffic storm control level which is used for all traffic (broadcast, multicast and unicast)
          -    Does not suppress spanning tree packets
          -    Does not differentiate control traffic from data traffic outside of spanning tree
          -    When broadcast storm control is enabled and traffic exceeds the threshold, storm control drops all broadcast traffic until the end of the traffic storm control interval
          -    If both broadcast and multicast traffic control mechanisms are in place and the combine traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
          -    If both broadcast and multicast traffic control mechanisms are in place and either of the two traffic exceeds the threshold, storm control drops all broadcast and multicast traffic
          -    While storm control is supported on physical interfaces, it can still be configured on EtherChannel.
          -    When storm control is configured on an EtherChannel, the storm control settings propagate to the physical interfaces in the channel
          -    Configuring storm control on EhterChannel ports put the interface in suspended state

          Storm control can use:
              -    Bandwidth
                      -    A percentage of total bandwidth of the port that can be used by broadcast, multicast or unicast
              -    Traffic Rate in packets per second
                      -    rate at which broadcast, unicast or multicast is received
              -    Traffic rate in bits per second
                      -    rate at which broadcast, unicast or multicast is received
                      - Traffic rate in packets per second and for small frame. Enabled globally. Threshold for small frames is configured on each interface
          -    With each of the above, the port remains blocked until the traffic rate has dropped below the falling threshold (optional) and then resumes forwarding
          -    If falling suppression rate is not set, the switch blocks traffic until the rate drops below the rising suppression level
          -    The higher the level, the less effective the protection against broadcast storms
          -    When the threshold is met for multicast, all multicast traffic is blocked except for control traffic such as BPDU and CDP. Routing updates are blocked
          -    Higher level such as 100 percent means no limit is placed on the traffic
          -    Lower value such as 0 means all broadcast, multicast or unicast traffic on that port is blocked
          -    By default storm control is disabled. There is a suppression of 100
          -    Storm control is configured on a per port basis

          - storm control actions are shutdown and trap. However the default is to filter out the traffic and not send traps
          -    The switchport blocks traffic (shutdown) when the rising level is met
          -    The switchport forwards traffic when traffic drops below the falling threshold

References:
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/12-1E/configuration/guide/storm.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swtrafc.html

No comments:

Post a Comment