Configuring Storm Control
These sections contain this conceptual and configuration information:
Understanding Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.
Storm control uses one of these methods to measure traffic activity:
-
Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
-
Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received.
-
Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received.
-
Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.
Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
The graph in Figure 29-1 shows broadcast traffic patterns on an interface over a given period of time. The example can also be applied to multicast and unicast traffic. In this example, the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2 and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is again forwarded.
Figure 29-1 Broadcast Storm Control Example
The combination of the storm-control suppression level and the 1-second time interval controls the way the storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.
Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control.
You use the
storm-control
interface configuration commands to set the threshold value for each traffic type.
Default Storm Control Configuration
By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Configuring Storm Control and Threshold Levels
You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.
Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces.
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
storm-control
{
broadcast
|
multicast
|
unicast
}
level
{
level
[
level-low
] |
bps
bps
[
bps-low
] |
pps
pps
[
pps-low
]}
|
Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled.
The keywords have these meanings:
-
For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port blocks traffic when the rising threshold is reached. The range is 0.00 to 100.00.
-
(Optional) For level-low, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00.
If you set the threshold to the maximum value (100 percent), no limit is placed on the traffic. If you set the threshold to 0.0, all broadcast, multicast, and unicast traffic on that port is blocked.
-
For
bps
bps, specify the rising threshold level for broadcast, multicast, or unicast traffic in bits per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.
0.
-
(Optional) For bps-low, specify the falling threshold level in bits per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.
-
For
pps
pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.
-
(Optional) For pps-low, specify the falling threshold level in packets per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is
0.0 to
10000000000.0.
For BPS and PPS settings, you can use metric suffixes such as k, m, and g for large number thresholds.
|
Step 4
|
storm-control action
{
shutdown
|
trap
}
|
Specify the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps.
-
Select the
shutdown
keyword to error-disable the port during a storm.
-
Select the
trap
keyword to generate an SNMP trap when a storm is detected.
|
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show storm-control
[
interface-id
] [
broadcast
|
multicast
|
unicast
]
|
Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
|
Step 7
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To disable storm control, use the
no storm-control
{
broadcast
|
multicast
|
unicast
}
level
interface configuration command.
This example shows how to enable unicast storm control on a port with an 87-percent rising suppression level and a 65-percent falling suppression level:
Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# storm-control unicast level 87 65
This example shows how to enable broadcast address storm control on a port to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval:
Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# storm-control broadcast level 20
Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the threshold) are dropped since the port is error disabled.
If the errdisable recovery cause small-frame global configuration command is entered, the port is re-enabled after a specified time. (You specify the recovery time by using errdisable recovery global configuration command.)
Beginning in privileged EXEC mode, follow these steps to configure the threshold level for each interface:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
errdisable detect cause small-frame
|
Enable the small-frame rate-arrival feature on the switch.
|
Step 3
|
errdisable recovery
interval
interval
|
(Optional) Specify the time to recover from the specified error-disabled state.
|
Step 4
|
errdisable recovery cause small-frame
|
(Optional) Configure the recovery time for error-disabled ports to be automatically re-enabled after they are error disabled by the arrival of small frames
|
Step 5
|
interface
interface-id
|
Enter interface configuration mode, and specify the interface to be configured.
|
Step 6
|
small violation-rate pps
|
Configure the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10,000 packets per second (pps)
|
Step 7
|
end
|
Return to privileged EXEC mode.
|
Step 8
|
show interfaces
interface-id
|
Verify the configuration.
|
Step 9
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
This example shows how to enable the small-frame arrival-rate feature, configure the port recovery time, and configure the threshold for error disabling a port:
Switch# configure terminal Switch# errdisable detect cause small-frame Switch# errdisable recovery cause small-frame Switch(config)# interface gigabitethernet1/1 Switch(config-if)# small-frame violation rate 10000
Configuring Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Protected ports have these features:
-
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
-
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
These sections contain this configuration information:
Default Protected Port Configuration
The default is to have no protected ports defined.
Protected Port Configuration Guidelines
You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs, see Chapter20, “Configuring Private VLANs”
Configuring a Protected Port
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
switchport protected
|
Configure the interface to be a protected port.
|
Step 4
|
end
|
Return to privileged EXEC mode.
|
Step 5
|
show
interfaces
interface-id
switchport
|
Verify your entries.
|
Step 6
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To disable protected port, use the
no switchport protected
interface configuration command.
This example shows how to configure a port as a protected port:
Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport protected
Configuring Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.
These sections contain this configuration information:
Default Port Blocking Configuration
The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports.
Blocking Flooded Traffic on an Interface
Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Beginning in privileged EXEC mode, follow these steps to disable the flooding of unicast packets and Layer 2 multicast packets out of an interface:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
switchport block multicast
|
Block unknown multicast forwarding out of the port.
Note Only pure Layer 2 multicast traffic is blocked. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked. |
Step 4
|
switchport block unicast
|
Block unknown unicast forwarding out of the port.
|
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show
interfaces
interface-id
switchport
|
Verify your entries.
|
Step 7
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port, use the
no switchport block
{
multicast
|
unicast
} interface configuration commands.
This example shows how to block unicast and Layer 2 multicast flooding on a port:
Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast
Configuring Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.
These sections contain this conceptual and configuration information:
Understanding Port Security
These sections contain this conceptual information:
Secure MAC Addresses
You configure the maximum number of secure addresses allowed on a port by using the
switchport port-security maximum
value
interface configuration command.
Note If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface, the command is rejected.
The switch supports these types of secure MAC addresses:
-
Static secure MAC addresses—These are manually configured by using the
switchport port-security mac-address
mac-address
interface configuration command, stored in the address table, and added to the switch running configuration.
-
Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
-
Sticky
secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling
sticky learning
. To enable sticky learning, enter the
switchport
port-security mac-address sticky
interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup
configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. See Chapter10, “Configuring SDM Templates” This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
Security Violations
It is a security violation when one of these situations occurs:
-
The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
-
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
You can configure the interface for one of four violation modes, based on the action to be taken if a violation occurs:
-
protect—When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
Note We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
-
restrict—When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
-
shutdown—A port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause
psecure-violation
global configuration command, or you can manually re-enable it by entering the
shutdown
and
no shut down
interface configuration commands. This is the default mode.
-
shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs
Table 29-1
shows the violation mode and the actions taken when you configure an interface for port security.
Table 29-1 Security Violation Mode Actions
|
|
|
|
|
Violation counter increments
|
|
protect
|
No
|
No
|
No
|
No
|
No
|
No
|
restrict
|
No
|
Yes
|
Yes
|
No
|
Yes
|
No
|
shutdown
|
No
|
No
|
No
|
No
|
Yes
|
Yes
|
shutdown vlan
|
No
|
No
|
Yes
|
No
|
Yes
|
No
|
Default Port Security Configuration
Table 29-2
shows the default port security configuration for an interface.
Table 29-2 Default Port Security Configuration
|
|
Port security
|
Disabled on a port.
|
Sticky address learning
|
Disabled.
|
Maximum number of secure MAC addresses per port
|
1
|
Violation mode
|
Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
|
Port security aging
|
Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.
|
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
-
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a dynamic access port.
-
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
Note Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed.
-
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
-
When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic, entering the
switchport voice
and
switchport priority extend
interface configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access VLAN and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
-
When confguring port security, first specify the total number of MAC addresses you want to allow, by using the
switchport port-security maximum
interface configuration command and then configure the number of access VLANs (
switchport port-security vlan access
interface configuration command) and voice VLANs (
switchport port-security vlan voice
interface configuration command) you want to allow. If you do not specify the total number first, the system returns to the default setting (1 MAC address).
-
When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.
-
The switch does not support port security aging of sticky secure MAC addresses.
Table 29-3
summarizes port security compatibility with other port-based features.
Table 29-3 Port Security Compatibility with Other Switch Features
Type of Port or Feature on Port
|
Compatible with Port Security
|
DTP port
|
No
|
Trunk port
|
Yes
|
Dynamic-access port
|
No
|
Routed port
|
No
|
SPAN source port
|
Yes
|
SPAN destination port
|
No
|
EtherChannel
|
Yes
|
Tunneling port
|
Yes
|
Protected port
|
Yes
|
IEEE 802.1x port
|
Yes
|
Voice VLAN port
|
Yes
|
Private VLAN port
|
Yes
|
IP source guard
|
Yes
|
Dynamic Address Resolution Protocol (ARP) inspection
|
Yes
|
Flex Links
|
Yes
|
Enabling and Configuring Port Security
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
switchport mode
{
access | trunk
}
|
Set the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port.
|
Step 4
|
switchport voice vlan
vlan-id
|
Enable voice VLAN on a port.
vlan-id
—Specify the VLAN to be used for voice traffic.
|
Step 5
|
switchport port-security
|
Enable port security on the interface.
|
Step 6
|
switchport port-security
[maximum value [vlan {vlan-list | {access | voice}}]]
|
(Optional)
maximum
—Specify the maximum number of secure MAC addresses on the port. By default only 1 MAC address is allowed.
The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is set by the active Switch Database Management (SDM) template. See Chapter10, “Configuring the Switch SDM Template”This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
(Optional)
vlan
—set a per-VLAN maximum value
Enter one of these options after you enter the
vlan
keyword:
-
vlan-list
—On a trunk port, you can set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
-
access
—On an access port, specify the VLAN as an access VLAN.
-
voice
—On an access port, specify the VLAN as a voice VLAN.
Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. |
Step 7
|
switchport port-security [violation
{
protect | restrict | shutdown
|
shutdown vlan
}]
|
(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:
-
protect
—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
-
restrict
—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
-
shutdown
—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
-
shutdown vlan—Use to set the security violation mode per VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs.
Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. |
Step 8
|
switchport port-security
[mac-address
mac-address
[vlan {
vlan-id
| {access | voice}}]
|
(Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Note If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.
(Optional)
vlan
—set a per-VLAN maximum value.
Enter one of these options after you enter the
vlan
keyword:
-
vlan-id
—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.
-
access
—On an access port, specify the VLAN as an access VLAN.
-
voice
—On an access port, specify the VLAN as a voice VLAN.
Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. |
Step 9
|
switchport port-security mac-address sticky
|
(Optional) Enable sticky learning on the interface.
|
Step 10
|
switchport port-security
mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]
|
(Optional) Enter a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration.
Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address.
(Optional)
vlan
—set a per-VLAN maximum value.
Enter one of these options after you enter the
vlan
keyword:
-
vlan-id
—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.
-
access
—On an access port, specify the VLAN as an access VLAN.
-
voice
—On an access port, specify the VLAN as a voice VLAN.
Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. |
Step 11
|
end
|
Return to privileged EXEC mode.
|
Step 12
|
show port-security
|
Verify your entries.
|
Step 13
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To return the interface to the default condition as not a secure port, use the
no switchport port-security
interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
To return the interface to the default number of secure MAC addresses, use the
no
switchport port-security maximum
value
interface configuration command. To return the violation mode to the default condition (shutdown mode), use the
no
switchport port-security violation
{
protocol
|
restrict
}
interface configuration command.
To disable sticky learning on an interface, use the
no switchport port-security mac-address sticky
interface configuration command. The interface converts the sticky secure MAC addresses to dynamic secure addresses. However, if you have previously saved the configuration with the sticky MAC addresses, you should save the configuration again after entering the
no switchport port-security mac-address sticky
command, or the sticky addresses will be restored if the switch reboots.
Use the clear port-security
{
all
|
configured | dynamic | sticky
} privileged EXEC command
to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
To delete a specific secure MAC address from the address table, use the
no switchport port-security mac-address
mac-address
interface configuration command. To delete all dynamic secure addresses on an interface from the address table, enter the
no switchport port-security
interface configuration command followed by the
switchport port-security
command (to re-enable port security on the interface). If you use the
no switchport port-security mac-address sticky
interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the
no switchport port-security
command, all secure addresses on the interface except those that were manually configured are deleted.
You must specifically delete configured secure MAC addresses from the address table by using the
no switchport port-security mac-address
mac-address
interface configuration command.
This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky
This example shows how to configure a static secure MAC address on VLAN 3 on a port:
Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3
This example shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).
Switch(config)# interface FastEthernet1/1 Switch(config-if)# switchport access vlan 21 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Switch(config-if)# switchport port-security mac-address 0000.0000.0003 Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice
Enabling and Configuring Port Security Aging
You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port:
-
Absolute—The secure addresses on the port are deleted after the specified aging time.
-
Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis.
Beginning in privileged EXEC mode, follow these steps to configure port security aging:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
switchport port-security
aging
{
static | time
time
|
type
{
absolute | inactivity}
}
|
Enable or disable static aging for the secure port, or set the aging time or type.
Note The switch does not support port security aging of sticky secure addresses.
Enter
static
to enable aging for statically configured secure addresses on this port.
For
time
, specify the aging time for this port. The valid range is from 0 to 1440 minutes.
For
type
, select one of these keywords:
-
absolute
—Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified lapses and are removed from the secure address list.
-
inactivity
—Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period.
|
Step 4
|
end
|
Return to privileged EXEC mode.
|
Step 5
|
show port-security
[
interface
interface-id
] [
address
]
|
Verify your entries.
|
Step 6
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
To disable port security aging for all secure addresses on a port, use the no
switchport port-security
aging
time
interface configuration command. To disable aging for only statically configured secure addresses, use the no
switchport port-security
aging
static
interface configuration command.
This example shows how to set the aging time as 2 hours for the secure addresses on a port:
Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport port-security aging time 120
This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface:
Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static
You can verify the previous commands by entering the
show port-security interface
interface-id
privileged EXEC command.
Port Security and Private VLANs
Port security allows an administrator to limit the number of MAC addresses learned on a port or to define which MAC addresses can be learned on a port.
Beginning in privileged EXEC mode, follow these steps to configure port security on a PVLAN host and promiscuous ports:
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
interface
interface-id
|
Specify the interface to be configured, and enter interface configuration mode.
|
Step 3
|
switchport mode private-vlan
{
host
|
promiscuous
}
|
Enable a private vlan on the interface.
|
Step 4
|
switchport port-security
|
Enable port security on the interface.
|
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show port-security
[
interface
interface-id
] [
address
]
|
Verify your entries.
|
Step 7
|
copy running-config startup-config
|
(Optional) Save your entries in the configuration file.
|
Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security violation restrict
Note Ports that have both port security and private VLANs configured can be labeled secure PVLAN ports. When a secure address is learned on a secure PVLAN port, the same secure address cannot be learned on another secure PVLAN port belonging to the same primary VLAN. However, an address learned on unsecure PVLAN port can be learned on a secure PVLAN port belonging to same primary VLAN.
Secure addresses that are learned on host port get automatically replicated on associated primary VLANs, and similarly, secure addresses learned on promiscuous ports automatically get replicated on all associated secondary VLANs. Static addresses (using mac-address-table static command) cannot be user configured on a secure port.
Configuring Protocol Storm Protection
Understanding Protocol Storm Protection
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:
-
Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.
-
Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.
-
CLI is slow or unresponsive.
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the virtual port.
Note Excess packets are dropped on no more than two virtual ports.
Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces.
Default Protocol Storm Protection Configuration
Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.
Enabling Protocol Storm Protection
Beginning in privileged EXEC mode, follow these steps to configure protocol storm protection.
|
|
|
Step 1
|
configure terminal
|
Enter global configuration mode.
|
Step 2
|
psp
{
arp
|
dhcp
|
igmp
}
pps
value
|
Configure protocol storm protection for ARP, IGMP, or DHCP.
For
value
, specify the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second.
|
Step 3
|
errdisable detect cause psp
|
(Optional) Enable error-disable detection for protocol storm protection. If this feature is enabled, the virtual port is error disabled. If this feature is disabled, the port drops excess packets without error disabling the port.
|
Step 4
|
errdisable recovery interval
time
|
(Optional) Configure an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds.
|
Step 5
|
end
|
Return to privileged EXEC mode.
|
Step 6
|
show psp config
{
arp
|
dhcp
|
igmp
}
|
Verify your entries.
|
This example shows how to configure protocol storm protection to drop incoming DHCP traffic on DHCP when it exceeds 35 packets per second.
Switch# configure terminal Switch(config)# psp dhcp pps 35
To disable protocol storm protection for a specific protocol, use the
no
psp
{
arp
|
dhcp
|
igmp
} privileged EXEC command.
To disable error-disable detection for protocol storm protection, use the
no errdisable detect cause psp
global configuration command.
To manually re-enable an error-disabled virtual port, use the
errdisable recovery cause psp
global configuration command.
To disable auto-recovery of error-disabled ports, use the
no errdisable recovery cause psp
global configuration command.
When protocol storm protection is configured, a counter records the number of dropped packets. To see this counter, use the
show psp statistics
[
arp
|
igmp
|
dhcp
] privileged EXEC command. To clear the counter for a protocol, use the
clear psp counter
[
arp
|
igmp
|
dhcp
] command.