L2 security – storm control.

Storm control is a security feature that protects network against packet flood. You can monitor unicast, broadcast and multicast packets. There are three measure methods: traffic rate: pps – packet per second, bps – bit per second, and percentage of interface bandwidth. You can define two actions which will be triggered once the storm occurs: shutdown or trap.
Let’s do some tests on the following scenario: 

            both switch port access vlan1 

                   Fa1/0/9   Fa1/0/11           
          /----\      \  ----- /       /----\ 
         |  R1  |-------| sw1 |-------|  R2  |
          \----/\        -----        /\----/ 
               Gig0/0             Gig0/0
              10.0.0.1           10.0.0.2

a) Storm control for unicast:

On both ports of sw1 we enable storm control with limit of 5 packets per second:

MP-SW(config-if-range)#storm-control unicast level pps 5

and action:

MP-SW(config-if-range)#storm-control action shutdown

for action ‘shutdown’ we have to configure ‘errdisable recovery’:

MP-SW(config)#errdisable recovery cause storm-control
MP-SW(config)#errdisable recovery interval 30

Now on both interfaces we have following settings:

!
interface FastEthernet1/0/9
 description to R1-2911 gi0/0
 switchport mode access
 storm-control unicast level pps 5
 storm-control action shutdown
end
!
interface FastEthernet1/0/11
 description to R2-2911 gi0/0
 switchport mode access
 storm-control unicast level pps 5
 storm-control action shutdown
end
!
errdisable recovery cause storm-control
errdisable recovery interval 30
!

Let’s try how the storm control works:

r2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#

for normal traffic we can’t see any disruption. Let’s increase the number of packet to 6 (the limit is 5): 

r2#ping 10.0.0.1 repeat 6

Type escape sequence to abort.
Sending 6, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!!
Success rate is 100 percent (6/6), round-trip min/avg/max = 1/1/4 ms
r2#

Now on sw1 we can see the storm control in action:

MP-SW#
*Mar  2 01:16:19.845: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:16:19.870: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:16:19.870: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
*Mar  2 01:16:20.868: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:16:20.893: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
*Mar  2 01:16:21.875: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:16:21.900: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down

As we can see above, both interfaces detected storm and shut down their ports. After 30 sec we can see err-disable recovery attempts:

*Mar  2 01:16:49.867: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/9
*Mar  2 01:16:49.893: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/11
*Mar  2 01:16:53.634: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:16:53.667: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
*Mar  2 01:16:54.641: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:16:54.674: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to up

And now both interfaces are up.

b) Storm control for broadcast

Let’s remove the unicast storm control on Fa1/0/11 and set up for broadcast with limit of 6 packets per second:

MP-SW(config-if)#storm-control broadcast level pps 6

We ping now R1 sending 5 packets (within both limits):

r2#ping 255.255.255.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
.
Reply to request 1 from 10.0.0.1, 1 ms
Reply to request 2 from 10.0.0.1, 1 ms
Reply to request 3 from 10.0.0.1, 1 ms
Reply to request 4 from 10.0.0.1, 1 ms
r2#

now we increase the number of packets to 6 and ensure we send all packet in 1 sec:

r2#ping 255.255.255.255 repeat 6 timeout 0

Type escape sequence to abort.
Sending 6, 100-byte ICMP Echos to 255.255.255.255, timeout is 0 seconds:
......
r2#

on the switch we can see the port Fa1/0/9 is shut down:

MP-SW#
*Mar  2 01:33:16.821: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:33:16.846: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:33:17.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:33:18.851: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down

It means the unicast storm control detected storm control error. It was caused by icmp echo-reply from R1 to R2. The broadcast limit wasn’t exceeded and the port is working fine. Let’s increase the number to 7:

r2#ping 255.255.255.255 repeat 7 timeout 0

Type escape sequence to abort.
Sending 7, 100-byte ICMP Echos to 255.255.255.255, timeout is 0 seconds:
.......
r2#

on the switch we see that ports gig1/0/9 and gig1/0/11 detected storm:

MP-SW#
*Mar  2 01:38:42.903: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:38:42.928: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:38:43.129: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
*Mar  2 01:38:43.926: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:38:44.153: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
*Mar  2 01:38:44.933: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:38:45.151: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down

On the port gig1/0/11 storm control detected broadcast storm and on the port gig1/0/9 echo-reply triggered unicast storm control. After 30 seconds both ports were recovered:

*Mar  2 01:39:12.925: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/9
*Mar  2 01:39:13.152: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/11
*Mar  2 01:39:16.625: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:39:16.868: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
*Mar  2 01:39:17.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:39:17.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to up

c) Storm control for unicast/broadcast and bps:

Let’s set up a new limit for 1000000 bps (bit per second):

!
interface FastEthernet1/0/9
 storm-control unicast level bps 1m
 storm-control action shutdown

and send some traffic:

r2#ping 10.0.0.1 size 10000 timeout 0 repeat 100

Type escape sequence to abort.
Sending 100, 10000-byte ICMP Echos to 10.0.0.1, timeout is 0 seconds:
......................................................................
..............................
Success rate is 0 percent (0/100)
r2#

we can enable debug storm detection to see number of bytes passing through the interface:

MP-SW#debug storm-control detection

And we can notice:

*Mar  2 01:58:16.888: storm_detect_and_control:I/F: Fa1/0/9, elapsed time = 1006, bytes = 1038600, packets = 700,  normalized rate = 8259244
*Mar  2 01:58:16.888: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:58:16.913: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:58:17.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down

Useful commands:

MP-SW#sh storm-control broadcast 
Interface  Filter State   Upper        Lower        Current
---------  -------------  -----------  -----------  ----------
Fa1/0/11   Forwarding           6 pps        6 pps        0 pps

MP-SW#sh storm-control unicast 
Interface  Filter State   Upper        Lower        Current
---------  -------------  -----------  -----------  ----------
Fa1/0/9    Forwarding          1m bps       1m bps        0 bps
MP-SW#
 
11
Kudos
 
11
Kudos

Now read this

GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF. 10.0.0.0/24 /----\ .6 .7 /----\ 6.6.6.6 Loop0 | R6 |---------------------| R7 | Loop0 7.7.7.7 \----/ \----/ Tun1 Tun1 192.168.0.1 192.168.0.2... Continue →