Configuring Protocol Storm Protection - Cisco Catalyst 3560-X Software Configuration Manual

Chapter 1 Configuring Port-Based Traffic Control
This example shows how to configure port security on a PVLAN host and promiscuous ports
Switch(config)# interface gigabitethernet 0/8
Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport port-security maximum 288
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security violation restrict
Ports that have both port security and private VLANs configured can be labeled secure PVLAN ports.
Note
When a secure address is learned on a secure PVLAN port, the same secure address cannot be learned
on another secure PVLAN port belonging to the same primary VLAN. However, an address learned on
unsecure PVLAN port can be learned on a secure PVLAN port belonging to same primary VLAN.
Secure addresses that are learned on host port get automatically replicated on associated primary
VLANs, and similarly, secure addresses learned on promiscuous ports automatically get replicated on
all associated secondary VLANs. Static addresses (using mac-address-table static command) cannot be
user configured on a secure port.

Configuring Protocol Storm Protection

•
•
•
Understanding Protocol Storm Protection
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU
utilization can cause the CPU to overload. These issues can occur:
•
•
•
Using protocol storm protection, you can control the rate at which control packets are sent to the switch
by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP
snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group
Management Protocol (IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified
virtual port for 30 seconds. The packet rate is measured again, and protocol storm protection is again
applied if necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on
the virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling
of the virtual port.
OL-25303-03
Understanding Protocol Storm Protection, page 1-19
Default Protocol Storm Protection Configuration, page 1-20
Enabling Protocol Storm Protection, page 1-20
Routing protocol can flap because the protocol control packets are not received, and neighboring
adjacencies are dropped.
Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU)
cannot be sent or received.
CLI is slow or unresponsive.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring Protocol Storm Protection
1-19