Storm-control and unicast-flooding

When a broadcast storm occurs, even with STP enabled, there is another option to protect your network from broadcast flooding. This method is called storm-control. The technics of this protocol are simple:

Stom control configuration is based on a per-port bases and storm control can be enabled for broadcasts, unicasts and/or multicasts. When configuring stormcontrol, you have to specify the rising and falling values: the rising value is the value on which an action should occur (rate-limit the traffic to this value, err-disable this port or send a SNMP trap). The rising value is the value on which the action will be undone.

Specifying these values have to be in these formats:

  • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
  • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received.
  • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received.
  • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

To configure storm-control on a switch interface (only physical interfaces supported), use the following commands:

Configure terminal
interface <id>

storm-control {broadcast|multicast|unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} 

for example:

block at 80% utilization, unblock at 50%
storm-control broadcast level 80 50


block at 100 pps, unblock at 70 pps
storm-control broadcast pps 100 70

storm-control action {shutdown | trap}

Unicast Flooding

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.


Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end