L2 security – storm control.

Storm control is a security feature that protects network against packet flood. You can monitor unicast, broadcast and multicast packets. There are three measure methods: traffic rate: pps – packet per second, bps – bit per second, and percentage of interface bandwidth. You can define two actions which will be triggered once the storm occurs: shutdown or trap.
Let’s do some tests on the following scenario: 

            both switch port access vlan1 

                   Fa1/0/9   Fa1/0/11           
          /----\      \  ----- /       /----\ 
         |  R1  |-------| sw1 |-------|  R2  |
          \----/\        -----        /\----/ 
               Gig0/0             Gig0/0
              10.0.0.1           10.0.0.2

a) Storm control for unicast:

On both ports of sw1 we enable storm control with limit of 5 packets per second:

MP-SW(config-if-range)#storm-control unicast level pps 5

and action:

MP-SW(config-if-range)#storm-control action shutdown

for action ‘shutdown’ we have to configure ‘errdisable recovery’:

MP-SW(config)#errdisable recovery cause storm-control
MP-SW(config)#errdisable recovery interval 30

Now on both interfaces we have following settings:

!
interface FastEthernet1/0/9
 description to R1-2911 gi0/0
 switchport mode access
 storm-control unicast level pps 5
 storm-control action shutdown
end
!
interface FastEthernet1/0/11
 description to R2-2911 gi0/0
 switchport mode access
 storm-control unicast level pps 5
 storm-control action shutdown
end
!
errdisable recovery cause storm-control
errdisable recovery interval 30
!

Let’s try how the storm control works:

r2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r2#

for normal traffic we can’t see any disruption. Let’s increase the number of packet to 6 (the limit is 5): 

r2#ping 10.0.0.1 repeat 6

Type escape sequence to abort.
Sending 6, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!!
Success rate is 100 percent (6/6), round-trip min/avg/max = 1/1/4 ms
r2#

Now on sw1 we can see the storm control in action:

MP-SW#
*Mar  2 01:16:19.845: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:16:19.870: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:16:19.870: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
*Mar  2 01:16:20.868: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:16:20.893: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
*Mar  2 01:16:21.875: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:16:21.900: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down

As we can see above, both interfaces detected storm and shut down their ports. After 30 sec we can see err-disable recovery attempts:

*Mar  2 01:16:49.867: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/9
*Mar  2 01:16:49.893: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/11
*Mar  2 01:16:53.634: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:16:53.667: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
*Mar  2 01:16:54.641: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:16:54.674: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to up

And now both interfaces are up.

b) Storm control for broadcast

Let’s remove the unicast storm control on Fa1/0/11 and set up for broadcast with limit of 6 packets per second:

MP-SW(config-if)#storm-control broadcast level pps 6

We ping now R1 sending 5 packets (within both limits):

r2#ping 255.255.255.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
.
Reply to request 1 from 10.0.0.1, 1 ms
Reply to request 2 from 10.0.0.1, 1 ms
Reply to request 3 from 10.0.0.1, 1 ms
Reply to request 4 from 10.0.0.1, 1 ms
r2#

now we increase the number of packets to 6 and ensure we send all packet in 1 sec:

r2#ping 255.255.255.255 repeat 6 timeout 0

Type escape sequence to abort.
Sending 6, 100-byte ICMP Echos to 255.255.255.255, timeout is 0 seconds:
......
r2#

on the switch we can see the port Fa1/0/9 is shut down:

MP-SW#
*Mar  2 01:33:16.821: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:33:16.846: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:33:17.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:33:18.851: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down

It means the unicast storm control detected storm control error. It was caused by icmp echo-reply from R1 to R2. The broadcast limit wasn’t exceeded and the port is working fine. Let’s increase the number to 7:

r2#ping 255.255.255.255 repeat 7 timeout 0

Type escape sequence to abort.
Sending 7, 100-byte ICMP Echos to 255.255.255.255, timeout is 0 seconds:
.......
r2#

on the switch we see that ports gig1/0/9 and gig1/0/11 detected storm:

MP-SW#
*Mar  2 01:38:42.903: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:38:42.928: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:38:43.129: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
*Mar  2 01:38:43.926: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:38:44.153: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
*Mar  2 01:38:44.933: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to down
*Mar  2 01:38:45.151: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down

On the port gig1/0/11 storm control detected broadcast storm and on the port gig1/0/9 echo-reply triggered unicast storm control. After 30 seconds both ports were recovered:

*Mar  2 01:39:12.925: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/9
*Mar  2 01:39:13.152: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Fa1/0/11
*Mar  2 01:39:16.625: %LINK-3-UPDOWN: Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:39:16.868: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
*Mar  2 01:39:17.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to up
*Mar  2 01:39:17.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to up

c) Storm control for unicast/broadcast and bps:

Let’s set up a new limit for 1000000 bps (bit per second):

!
interface FastEthernet1/0/9
 storm-control unicast level bps 1m
 storm-control action shutdown

and send some traffic:

r2#ping 10.0.0.1 size 10000 timeout 0 repeat 100

Type escape sequence to abort.
Sending 100, 10000-byte ICMP Echos to 10.0.0.1, timeout is 0 seconds:
......................................................................
..............................
Success rate is 0 percent (0/100)
r2#

we can enable debug storm detection to see number of bytes passing through the interface:

MP-SW#debug storm-control detection

And we can notice:

*Mar  2 01:58:16.888: storm_detect_and_control:I/F: Fa1/0/9, elapsed time = 1006, bytes = 1038600, packets = 700,  normalized rate = 8259244
*Mar  2 01:58:16.888: %PM-4-ERR_DISABLE: storm-control error detected on Fa1/0/9, putting Fa1/0/9 in err-disable state
*Mar  2 01:58:16.913: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa1/0/9. The interface has been disabled.
*Mar  2 01:58:17.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/9, changed state to down

Useful commands:

MP-SW#sh storm-control broadcast 
Interface  Filter State   Upper        Lower        Current
---------  -------------  -----------  -----------  ----------
Fa1/0/11   Forwarding           6 pps        6 pps        0 pps

MP-SW#sh storm-control unicast 
Interface  Filter State   Upper        Lower        Current
---------  -------------  -----------  -----------  ----------
Fa1/0/9    Forwarding          1m bps       1m bps        0 bps
MP-SW#
 
11
Kudos
 
11
Kudos

Now read this

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways. ciscoasa# sh run aaa aaa... Continue →