Professional Documents
Culture Documents
Traffic Suppression and Storm Control Configuration: About This Chapter
Traffic Suppression and Storm Control Configuration: About This Chapter
Traffic Suppression and Storm Control Configuration: About This Chapter
Definition
Traffic suppression and storm control can control broadcast packets, unknown
multicast packets, and unknown unicast packets and to prevent broadcast storms
caused by these packets. Unknown unicast packets refer to unicast packets whose
destination MAC addresses have not been learned by the device.
Traffic suppression limits the traffic by setting a threshold, and storm control
blocks the traffic by shutting down an interface.
Purpose
When receiving broadcast packets, unknown multicast packets, and unknown
unicast packets, a switch forwards the packets to other Layer 2 Ethernet interfaces
in the same VLAN if the switch cannot determine the outbound interface based on
the destination MAC addresses of packets. When this happens, broadcast storms
may occur on the network and forwarding performance of the device will
deteriorate.
Traffic suppression and storm control can control these packets and prevent
broadcast storms.
● Interface view
Controls the bandwidth percentage, packets per second, and bits per second
of incoming packets.
A switch monitors rates of these packets on the interface and compares the
rates with the thresholds. When the rate of incoming traffic reaches the
threshold, the switch discards excess traffic.
● Outbound interface view
Blocks outgoing broadcast packets, unknown multicast packets, and unknown
unicast packets.
● VLAN view
Limits the bits per second for broadcast packets.
A switch monitors broadcast packet rates in the same VLAN and compares
the rates with the thresholds. When the traffic rate in the VLAN reaches the
threshold, the switch discards excess traffic.
Storm control actions include block and shutdown. An interface that is blocked or
shut down can be recovered in the following ways:
● When the average rates of incoming packets on a blocked interface fall below
the lower thresholds, the interface is unblocked to forward packets.
● If the action is shutdown, manually unblock the interface or enable the
interface to automatically recover to the Up state.
NOTE
When detecting unicast packets, a switch does not distinguish unknown unicast packets
from known unicast packets. The packet rate detected is the sum of the rates of unknown
and known unicast packets. When the storm control action is block, the switch blocks only
the unknown unicast packets. This rule also applies to multicast packets.
SwitchA
SwitchA
Licensing Requirements
Configuration commands of traffic suppression and storm control are available
only after the S1720GW, S1720GWR, and S1720X have the license (WEB
management to full management Electronic RTU License) loaded and activated
and the switches are restarted. Configuration commands of traffic suppression and
storm control on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.
Version Requirements
Table 6-1 Products and versions supporting traffic suppression and storm control
S2710SI V100R006(C03&C05)
S5710-C-LI V200R001C00
S5730SI V200R011C10
S5730S-EI V200R011C10
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
Features supported in different views
Table 6-2 lists the traffic suppression and storm control features supported in the
interface and VLAN views.
Traffic suppression threshold for ICMP By default, the rate limits of ICMP
Packets packets in the system and on an
interface depend on the product
model. The value is 128 on the
S6720EI, S6720S-EI, S5720HI, and
S5720EI, and 190 on the other models,
in pps.
Context
Excess broadcast, unknown multicast, or unknown unicast packets will cause
broadcast storms. You can configure traffic suppression for a specified type of
packet on an interface to limit the rate of these packets.
The S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E,
S1720X-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI,
S5700LI, S5700S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-
NOTE
You can configure suppression on broadcast, unknown multicast, and unknown unicast traffic
on the same interface.
Pre-configuration Tasks
Before configuring traffic suppression on an interface, configure link layer protocol
parameters for interfaces to ensure that the link layer protocol status on the
interfaces is Up.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run suppression mode { by-packets | by-bits }
The traffic suppression mode is set.
NOTE
----End
Context
Excess broadcast packets will cause broadcast storms. You can configure traffic
suppression for a specified type of packet in a VLAN to limit the rate of these
packets.
NOTE
After traffic suppression is configured in a VLAN, the number of packets that can be transmitted
per second in the VLAN depends on the method to calculate the packet length. By default, the
device calculates the 20-byte inter-frame gap and preamble. That is, the device calculates the
actual packet length plus 20-byte inter-frame gap and preamble.
On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S2720EI, S2750EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5710-X-LI, S5720LI, S5720S-LI,
S5700LI, S5700S-LI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, if inbound traffic policing on an
interface, broadcast traffic suppression in a VLAN, and inbound flow-based traffic policing are
configured simultaneously and packets match two or three of the rate limiting rules, the system
applies the rules in the following order: inbound traffic policing on interface, broadcast traffic
suppression in the VLAN, and inbound flow-based traffic policing (descending order of priority).
For example, if packets match both the inbound traffic policing rule on an interface and
broadcast traffic suppression rule in a VLAN, the inbound traffic policing rule on the interface
takes effect. For details on how to configure the inbound traffic policing on an interface and
inbound flow-based traffic policing, see Configuring Inbound Interface-based Rate Limiting and
Configuring MQC to Implement Traffic Policing in "Traffic Policing, Traffic Shaping, and
Interface-based Rate Limiting" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - QoS.
Pre-configuration Tasks
Before configuring traffic suppression in a VLAN, configure link layer protocol
parameters for interfaces in the VLAN to ensure that the link layer protocol status
on the interfaces is Up.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The VLAN view is displayed.
Step 3 Run broadcast-suppression threshold-value
The broadcast suppression rate is configured in the VLAN.
----End
Context
Malicious users may flood a network with ICMP packets to initiate an attack.
Processing large numbers of ICMP packets will consume many CPU resources and
Before configuring ICMP packet suppression on an interface, run the undo icmp-
reply fast command to disable the ICMP reply fast function.
Pre-configuration Tasks
Before configuring traffic suppression for ICMP packets, configure link layer
protocol parameters for interfaces to ensure that the link layer protocol status on
the interfaces is Up.
Procedure
Step 1 Run system-view
The rate threshold for ICMP packets in the interface and system views is
configured.
By default, the rate limits of ICMP packets in the system and on an interface
depend on the product model. The value is 128 on the S6720EI, S6720S-EI,
S5720HI, and S5720EI, and 190 on the other models, in pps.
----End
Procedure
● Run the display flow-suppression interface interface-type interface-number
command to check the traffic suppression configuration.
----End
Context
Excess broadcast, unknown multicast, or unknown unicast packets have a
significant impact on network devices. To limit the rate of these packets, configure
storm control on the interface that receives these packets.
NOTE
When Jumbo frames are received by an interface, the bytes mode is recommended.
When detecting unicast packets, a switch does not distinguish unknown unicast packets
from known unicast packets. The packet rate detected is the sum of the rates of unknown
and known unicast packets. When the storm control action is block, the switch blocks only
the unknown unicast packets. This rule also applies to multicast packets.
Pre-configuration Tasks
Before configuring the storm control function, configure link layer protocol
parameters for interfaces to ensure that the link layer protocol status on the
interfaces is Up.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run storm-control { broadcast | multicast | unicast } min-rate min-rate-value
max-rate max-rate-value
or storm-control { broadcast | multicast | unicast } min-rate cir min-rate-value-
cir max-rate cir max-rate-value-cir or storm-control { broadcast | multicast |
unicast } min-rate percent min-rate-value-percent max-rate percent max-rate-
value-percent
Storm control is performed on broadcast packets, unknown multicast packets, or
unknown unicast packets on the interface.
Step 4 Run storm-control action { block | error-down }
The storm control action is set.
Step 5 (Optional) Run storm-control enable { log | trap }
The system is configured to record logs or report traps during storm control.
Step 6 (Optional) Run storm-control interval interval-value
The storm detection interval is set.
----End
Follow-up Procedure
If an interface is in Error-Down state, you are advised to determine the cause first.
An interface in Error-Down state can be recovered using either of the following
methods:
● Manual recovery (after an Error-Down event occurs):
If a few interfaces need to be recovered, run the shutdown and undo
shutdown commands in the interface view. Alternatively, run the restart
command in the interface view to restart the interfaces.
● Automatic recovery (before an Error-Down event occurs):
If a large number of interfaces need to be recovered, manual recovery is time
consuming and some interfaces may be omitted. To avoid this problem, run
the error-down auto-recovery cause storm-control interval interval-value
command in the system view to enable automatic interface recovery and set
the recovery delay time. Run the display error-down recovery command to
view information about automatic interface recovery.
NOTE
This method does not take effect on interfaces that are already in Error-Down state. It
is effective only on interfaces that enter the Error-Down state after this configuration
is complete.
Networking Requirements
In Figure 6-3, Switch A is connected to a Layer 2 network and a Layer 3 router.
Switch A needs to be configured to prevent broadcast storms caused by a large
number of broadcast packets, unknown multicast packets, or unknown unicast
packets forwarded at Layer 2.
GE0/0/1 GE0/0/2
L2 network L3 network
Switch A Router
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enter the interface view.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 0/0/1
Step 2 Configure traffic suppression for broadcast packets. Set bandwidth percentage for
broadcast packets to 80%.
[SwitchA-GigabitEthernet0/0/1] broadcast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets. Set bandwidth
percentage for unknown unicast packets to 80%.
[SwitchA-GigabitEthernet0/0/1] unicast-suppression 80
[SwitchA-GigabitEthernet0/0/1] quit
----End
Configuration Files
Switch A configuration file
#
sysname SwitchA
#
interface GigabitEthernet0/0/1
unicast-suppression 80
multicast-suppression 80
broadcast-suppression 80
#
return
Networking Requirements
In Figure 6-4, Switch A is connected to a Layer 2 network and a Layer 3 router.
Switch A needs to be configured to prevent broadcast storms caused by a large
number of broadcast packets, unknown multicast packets, or unknown unicast
packets forwarded at Layer 2.
GE0/0/1 GE0/0/2
L2 network L3 network
Switch A Router
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure storm control in the interface view of GE0/0/1 to prevent broadcast
storms caused by a large number of broadcast packets, unknown multicast
packets, or unknown unicast packets forwarded at Layer 2.
Procedure
Step 1 Enter the interface view.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet0/0/1
/2000
--------------------------------------------------------------------------------
----End
Configuration Files
Switch A configuration file
#
sysname SwitchA
#
interface GigabitEthernet0/0/1
storm-control broadcast min-rate 1000 max-rate 2000
storm-control multicast min-rate 1000 max-rate 2000
storm-control unicast min-rate 1000 max-rate 2000
storm-control interval 90
storm-control action block
storm-control enable log
#
return
Fault Description
After broadcast traffic suppression is configured on an interface, a broadcast
storm caused by broadcast packets still occurs and service traffic is interrupted.
Common Causes
This fault is commonly caused by one of the following:
● Broadcast suppression is not configured on interfaces, or the broadcast
suppression threshold is set too high.
● Broadcast packets are not discarded on the inbound interface.
NOTE
Procedure
Step 1 Check that traffic suppression is correctly configured on the related interface.
Run the display flow-suppression interface interface-type interface-number
command in the user view to check whether the values of rate mode and set rate
value in the broadcast field are appropriate.
----End