Port Based Traffic Control

By | May 21, 2013

Under port based traffic control post we will cover below topics :

  • How to configure storm controls.
  • How to configure protected ports.
  • How to configure port blocking.

Let us go through each of them one by one:

How to configure storm controls.

Storms occur in a network when there is overflow of packets in that particular Network segment causing network instability. Broadcast , uni-cast or multicast storms cause overflow of packets. Storm control feature prevents physical ports by these three storms . Strom minimized in a network segment per port and per traffic basis.

Below command shows how to enable storm control for different traffic types:

Lab_Switch(config-if)#storm-control [broadcast | multicast | unicast] level level [.level]

Level is a threshold value & is calculated in percentage of the total available bandwidth that we want to keep as threshold. 100 means allow all traffic and 0.0 means block all traffic for the particular traffic type.

How to configure protected ports.

A port is protected in a network segment where no traffic should be forwarded between two ports in a same switch.  Protected feature blocks broadcast, multicast and uni-cast traffic only when both the ports are configured to protect the traffic. Once you have configured the traffic protecting between two ports, no layer 2 communication happens between them and only layer 3 communication is possible between the protected ports.

To enable the protected feature on any port , use below command:

Lab_Switch(config-if)#switchport protected

Note : Once you define the configuration for protected port on a ether channel group, it is automatically added to all group ports.

How to configure port blocking.

By default a switch forwards the traffic to all ports if the MAC Address is not in the switch MAC Address table. However due to security reasons in some environments, we want to disable this default behavior.  We can define the traffic type either as uni-cast or multicast to be blocked. However blocking the traffic is not enabled by default even if we have configured the port as protected port.

Below command will show you how to configure the blocking port:

Lab_Switch(config-if)#switchport block [multicast | unicast]

Note : Once you define the configuration for protected port on a ether channel group, it is automatically added to all group ports.


Below few commands show the details of above configured features:

Show running-config interface fastethernet 0/10
interface FastEthernet0/10
switchport mode access
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control unicast level 10.00

show running-config interface fastethernet 0/20
interface FastEthernet0/20
switchport mode dynamic auto
switchport block multicast
switchport block unicast

To view the storm control configuration use below command:

Lab_Switch1#show storm-control
Interface Filter State Level Current
——— ————- ——- ——-
Fa0/10 Forwarding 10.00% 0.00%
Fa0/20 inactive 100.00% N/A
Fa0/3 inactive 100.00% N/A
Fa0/4 inactive 100.00% N/A
Fa0/5 inactive 100.00% N/A
Fa0/6 inactive 100.00% N/A
Fa0/7 inactive 100.00% N/A
Fa0/8 inactive 100.00% N/A
Fa0/9 inactive 100.00% N/A
Fa0/10 inactive 100.00% N/A

To view the switch port status:

show interfaces fastEthernet 0/2- switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
Unknown unicast blocked: enabled
Unknown multicast blocked: enabled