Sunday, December 9, 2007

Broadcast, Unicast and Multicast Storm Control on Cisco Switches

Note: I will cover this topic from the LAN perspective. Some of these concepts may not be recommended for carriers (at least not in this way).

Broadcast storm still a big issue in todays networks. Sometimes this broadcasts storms come from a virus, others times come from a mis configured network device.

I have found many cases where clients call complaining of huge performance degradation on their LANs. When I go and start verifying I found some sort of broadcast storm. I've seen degradation, from broadcast storms, so bad, that even console access to some switches become impossible. Remember that, under certain circumstances the switch will need to respond to the broadcasts. Specially those running Layer3 on one of the affected VLANs.

Ironically, some times is because there is one guy experimenting with one application with one "vendor recommended" setup. IMPORTANT: Those called vendor recommended setups are not always correct. So, get someone with knowledge of your infrastructure to verify it first.

There are many applications, like video streaming, IP based punch clocks, IP based surveillance trackers and camera, that come with multicast or some broadcast based protocol turned on by default. Other old badly programed applications, use, huge amount of unicast packets to intercommunicate between peers . Also, notice that the deny-of-service attacks use unicast storms to achieve their objective. Finally, there are some Trojans and virus that are badly coded and start scanning multicast IP ranges.

Every one of this examples are real and have been seen in the networks during the past 10 years.

So, when you are deploying a Cisco based switched LAN there are some features that might help mitigate the impact of these types of storms.

The Cisco storm control is part of the port-based traffic control mechanism defined in Cisco switches. The storm control will allow you to setup thresholds for unicast, multicast and broadcast traffic on per-port basis. These thresholds are setup in bandwidth percentage of the port total bandwidth available but you can also fine tune and specify bits-per-second (bps) and packets-per-second (pps). By default the threshold is 100%, meaning, they can use all the available bandwidth at the port.

So, what happens when the threshold is reached? Well the switch will block the traffic in this port until the traffic rate drops below the specified threshold. After that it will continue its normal traffic forwarding.

The general syntax is:

storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}

Lets start with an example and explain the different setups: (Note: Not a recommended setup. Only for explanation purposes only.)

interface FastEthernet 0/0
storm-control broadcast level 5
storm-control unicast level 15 10
storm-control multicast level bps 1000000 900000
So the previous example is setting up the following thresholds:

  • Broadcast are block after consuming 5% of the bandwidth and forwarded after going back below 5%
  • Unicast is blocked after consuming 15% of the bandwidth and forwarded again after going below 10%
  • Multicast is blocked after consuming 1Mbps of the total bandwidth and forwarded again after goig bellow 900Kbps.

As you can see the storm control feature is quite powerful yet quite simple to use and understand. My recommendation: use it at least for broadcast storm prevention.

You may find more detailed information at Cisco site or visiting this link.


  1. I get an error while configuring the storm-control. What is the solution for this

    switch(config-if)#storm-control multicast level 50
    Command Rejected: Multicast suppression is not supported on Gi5/8

    1. Hi,
      The interface must be L2, Storm control is not support for L3 operation interface