Storm control is a critical feature for protecting your network from broadcast, multicast, and unknown unicast storms that can degrade performance or cause outages. On the CCNA 200-301 exam (objective 2.7, Network Access), you need to understand how to configure and verify storm control on Cisco switches to maintain network stability. In real-world engineering, this feature is your first line of defense against loops, misconfigurations, and denial-of-service attacks that generate excessive traffic.
Jump to a section
Imagine a large office building with a fire suppression sprinkler system. The building has many rooms (switch ports), and each room has a sprinkler head that can detect excessive heat (traffic). Normally, people move around, computers run, and there's a baseline level of activity. But if a fire starts (a traffic storm), the temperature in a room rises rapidly. The sprinkler system has a pre-set threshold: when the temperature exceeds, say, 150°F (the rising threshold), the sprinkler activates and sprays water (drops traffic) to suppress the fire. This prevents the fire from spreading to other rooms (other ports) and overwhelming the entire building. Importantly, the sprinkler doesn't turn off immediately when the temperature drops below 150°F; it has a lower 'falling threshold' (e.g., 130°F) to ensure the fire is truly out before stopping. In storm control, you set a rising threshold (e.g., 50% of bandwidth) where action begins, and a falling threshold (e.g., 40%) where normal operation resumes. The sprinkler system can be configured to just sound an alarm (log a message) or actually spray water (drop traffic). Similarly, storm control can be set to 'shutdown' the port or 'trap' (send SNMP alerts) in addition to dropping. The analogy holds mechanistically: the system continuously monitors the 'temperature' (traffic level), compares it against thresholds, and takes action to prevent a localized problem from becoming a building-wide disaster. Just as you wouldn't want sprinklers going off for every minor spike, you tune thresholds to avoid false positives while still protecting against real storms.
What is Storm Control and Why Does It Exist?
Storm control is a Layer 2 feature on Cisco switches that prevents excessive broadcast, multicast, or unknown unicast traffic from degrading network performance. A 'storm' occurs when a high volume of these frame types floods the network, often due to Layer 2 loops, malfunctioning NICs, or malicious attacks. Without storm control, such traffic can consume all available bandwidth, causing legitimate traffic to be dropped and potentially leading to a complete network outage.
On the CCNA exam, storm control falls under exam objective 2.7: 'Configure and verify Layer 2 discovery protocols and Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).' Wait – that's a different objective. Actually, storm control is part of the broader topic of 'mitigating switching threats' often tested alongside Port Security, DHCP Snooping, and Dynamic ARP Inspection. For 200-301, you should know how to configure storm control to protect against broadcast storms.
How Storm Control Works: Step by Step
Storm control operates by monitoring the rate of incoming frames on an interface. It classifies frames into three types: broadcast, multicast, and unknown unicast. You can configure storm control for each type independently or together.
Traffic Monitoring: The switch ASIC counts the number of bytes or packets for each traffic type per second. It uses a sliding window (typically 1 second) to compute the average rate.
2. Threshold Comparison: The measured rate is compared against configured thresholds. Two thresholds exist: - Rising Threshold: When the traffic rate exceeds this value, storm control takes action (e.g., drops traffic). - Falling Threshold: When the rate drops below this value, storm control stops dropping traffic (if configured to resume).
3. Action: When the rising threshold is exceeded, the switch can: - Drop: Discard excess frames of that type. - Shutdown: Error-disable the port (must be re-enabled manually or via errdisable recovery). - Trap: Send an SNMP trap or syslog message.
Recovery: If falling threshold is configured and the rate drops below it, the switch stops dropping. If the port was shutdown, it remains down until manually or automatically recovered.
Key States, Timers, and Defaults
Threshold Unit: Can be configured as a percentage of total bandwidth (e.g., 50%) or as an absolute rate in packets per second (pps) or bits per second (bps). On most Catalyst switches, the default is percentage.
Default State: Storm control is disabled by default on all interfaces.
Rising Threshold Default: None; you must configure it.
Falling Threshold: If not configured, it defaults to the same value as the rising threshold. This means once the rate exceeds the threshold, it will keep dropping until the rate falls below that same value, which can cause flapping.
Action Default: If you configure thresholds without specifying an action, the default action is to filter (drop) traffic. No shutdown, no trap.
IOS CLI Verification Commands with Real Example Output
To configure storm control on an interface:
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# storm-control broadcast level 50 40
Switch(config-if)# storm-control multicast level 80 70
Switch(config-if)# storm-control action shutdownThe first command sets broadcast storm control: rising threshold 50%, falling threshold 40%.
The second sets multicast: rising 80%, falling 70%.
The third specifies that if any threshold is exceeded, the port will be error-disabled.
To verify:
Switch# show storm-control GigabitEthernet0/1 broadcast
Interface Filter State Upper Lower Current
--------- ------------ ----- ----- -------
Gi0/1 Forwarding 50% 40% 10%This output shows the interface is currently forwarding (no storm), with rising 50%, falling 40%, and current traffic at 10% of bandwidth.
If a storm occurs, you might see:
Switch# show storm-control GigabitEthernet0/1 broadcast
Interface Filter State Upper Lower Current
--------- ------------ ----- ----- -------
Gi0/1 Blocking 50% 40% 75%'Blocking' means the switch is dropping broadcast frames. The current rate is 75%, above the rising threshold.
To see statistics:
Switch# show storm-control GigabitEthernet0/1
Interface Filter State Upper Lower Current Type
--------- ------------ ----- ----- ------- ----
Gi0/1 Forwarding 50% 40% 10% Broadcast
Gi0/1 Forwarding 80% 70% 5% Multicast
Gi0/1 Forwarding Not set Not set 0% UnicastInteraction with Related Protocols
Spanning Tree Protocol (STP): STP prevents loops, but a loop can still cause a broadcast storm. Storm control provides a safety net if STP fails or is misconfigured.
Port Security: Storm control can be used alongside Port Security to limit unknown unicast floods caused by MAC flooding.
DHCP Snooping: DHCP Snooping does not prevent broadcast storms; storm control is complementary.
QoS: Storm control operates before QoS policing in the ingress pipeline. If storm control drops traffic, QoS never sees it.
Configuration Traps
Missing Falling Threshold: If you set only a rising threshold, the falling threshold defaults to the same value. This can cause oscillations if traffic hovers around the threshold.
Shutdown Action: If you use 'shutdown', the port will be error-disabled until manually recovered or auto-recovered via 'errdisable recovery cause storm-control'. Many candidates forget this.
Percentage vs. PPS: The exam may ask about the unit. Percentage is based on total bandwidth of the interface (e.g., 50% of 1 Gbps = 500 Mbps). PPS is absolute.
Storm Control for Unicast: Unknown unicast storm control is often overlooked. It's configured with 'storm-control unicast level ...' but note that unicast storms are less common.
Enter Global Configuration Mode
Begin by entering global configuration mode on the switch. Use the command 'configure terminal' or 'conf t'. This is the starting point for any interface configuration. Ensure you are in privileged EXEC mode first (enable). For the CCNA exam, you must know the exact sequence: enable, configure terminal.
Select the Interface
Select the specific interface you want to protect with storm control. Use 'interface GigabitEthernet0/1' or 'interface FastEthernet0/1'. You can also use interface ranges like 'interface range Gi0/1-24' to apply the same settings to multiple ports. The exam may ask you to configure a single port.
Configure Broadcast Storm Control Thresholds
Set the rising and falling thresholds for broadcast traffic. Command: 'storm-control broadcast level 50 40'. The first number (50) is the rising threshold in percentage of total bandwidth. The second (40) is the falling threshold. If you omit the falling threshold, it defaults to the rising value. On the exam, remember that the rising threshold must be higher than the falling.
Configure Multicast and Unicast (Optional)
Optionally, set thresholds for multicast and unknown unicast traffic. Use 'storm-control multicast level 80 70' and 'storm-control unicast level 30 20'. The syntax is identical to broadcast. Note that unknown unicast storm control is less common but can be tested. The exam may ask which types you can configure: broadcast, multicast, and unicast (unknown).
Specify the Action on Threshold Exceeded
Define what happens when the rising threshold is exceeded. Use 'storm-control action shutdown' to error-disable the port, or 'storm-control action trap' to send SNMP traps. If no action is configured, the default is to filter (drop) excess traffic. The 'shutdown' action is often tested because it has recovery implications.
Verify the Configuration
Use 'show storm-control [interface] [type]' to verify. For example, 'show storm-control GigabitEthernet0/1 broadcast' shows the current state and thresholds. Also use 'show running-config interface GigabitEthernet0/1' to confirm the commands are present. The exam expects you to interpret the output, especially the 'Filter State' (Forwarding vs. Blocking) and the current traffic level.
Real-World Deployment Scenarios
Scenario 1: Campus Access Layer Protection
In a university network, thousands of student devices connect to access switches. A misconfigured laptop can generate a broadcast storm that disrupts an entire building. Network engineers enable storm control on all access ports with a rising threshold of 50% and falling of 40%, and set the action to 'shutdown' to isolate the offending device. This prevents a single faulty NIC from taking down the floor. The helpdesk then manually re-enables the port after resolving the issue. At scale, they use 'errdisable recovery cause storm-control interval 300' to automatically recover ports after 5 minutes, reducing manual intervention.
Scenario 2: Data Center Server Connections
In a data center, servers often generate high multicast traffic for clustering or storage. Engineers set storm control on server-facing ports with higher thresholds (e.g., 80% rising, 70% falling) to avoid false positives during normal multicast bursts. They also configure SNMP traps to alert the NOC when thresholds are crossed, allowing proactive investigation. The action is typically 'filter' (drop) rather than shutdown, because shutting down a server port could cause application downtime.
Scenario 3: Guest Wi-Fi Network
Guest networks are high-risk for malicious traffic. Storm control is configured on the switch ports connecting to wireless APs. Thresholds are set low (e.g., 20% rising, 10% falling) to quickly drop any broadcast storm from a compromised client. The action is 'shutdown' to completely isolate the AP until an administrator investigates. This is combined with Port Security and DHCP Snooping for layered defense.
Misconfiguration Consequences
If the falling threshold is set too close to the rising threshold (e.g., 50% and 49%), traffic hovering near the threshold can cause the port to oscillate between blocking and forwarding, leading to intermittent connectivity. If thresholds are set too high (e.g., 100%), storm control never activates, rendering it useless. If 'shutdown' action is used without recovery, ports stay down until manual intervention, which can be a problem in large networks without automation.
Exam Focus for CCNA 200-301
What the Exam Tests
Storm control is part of exam objective 2.7 (Network Access), but it often appears in the broader context of 'mitigating Layer 2 threats'. You must know:
The command syntax for configuring storm control (broadcast, multicast, unicast).
The difference between rising and falling thresholds.
The three possible actions: filter (default), shutdown, trap.
How to verify with 'show storm-control'.
The default state (disabled).
Common Wrong Answers and Why
Associating storm control with STP: Many candidates think storm control prevents loops. It does not; STP prevents loops. Storm control mitigates the effect of loops by dropping excess traffic. The exam may have a question like 'Which feature prevents broadcast storms?' The correct answer is STP (loop prevention), but storm control reduces impact.
Confusing threshold units: Candidates often forget that the default unit is percentage, not packets per second. If a question says 'storm-control broadcast level 500', it could be pps (if configured) or percentage (if not). Know the default.
Misunderstanding falling threshold: A common trap: if you set only a rising threshold of 50%, the falling threshold defaults to 50%. This means the port will stop dropping only when traffic falls below 50% again, which can cause flapping. The exam may present a scenario where traffic is at 55% and ask about the state.
Forgetting recovery from shutdown: If action is shutdown, the port goes to errdisable state. Candidates may think the port automatically recovers. It does not unless 'errdisable recovery cause storm-control' is configured.
Specific Values and Commands to Memorize
Default storm control: disabled.
Default action: filter (drop).
'storm-control broadcast level 50 40' – rising 50%, falling 40%.
'show storm-control' displays Filter State, Upper, Lower, Current.
'show running-config | include storm-control' to see config.
Decision Rule for Scenario Questions
If a question asks which action to take when a port is experiencing a broadcast storm, the answer is either 'configure storm control' or 'enable STP'. Read carefully: if the question mentions 'loop', STP is the answer. If it says 'excessive broadcast traffic' without loop, storm control is the answer.
Storm control is disabled by default on all interfaces.
You can configure storm control for broadcast, multicast, and unknown unicast traffic.
The rising threshold triggers action; the falling threshold stops action.
If no falling threshold is configured, it defaults to the rising threshold value.
Default action is to filter (drop) traffic; 'shutdown' and 'trap' are optional actions.
Use 'show storm-control interface [type]' to verify configuration and current state.
Storm control does not prevent loops; it mitigates the effects of broadcast storms.
These come up on the exam all the time. Here's how to tell them apart.
Storm Control
Limits rate of broadcast/multicast/unknown unicast traffic
Uses rising/falling thresholds as percentage or pps
Actions: filter, shutdown, trap
Operates at Layer 2, no MAC address learning involved
Default: disabled
Port Security
Limits number of MAC addresses learned on a port
Uses maximum MAC count (sticky or dynamic)
Actions: protect, restrict, shutdown
Operates based on MAC address table
Default: disabled
Mistake
Storm control prevents Layer 2 loops.
Correct
Storm control does not prevent loops; it only limits the amount of broadcast/multicast/unicast traffic that passes through an interface. Spanning Tree Protocol (STP) prevents loops.
Because both features deal with broadcast storms, candidates conflate their purposes.
Mistake
If you set a rising threshold of 50%, the switch will stop dropping traffic as soon as the rate falls below 50%.
Correct
The falling threshold defaults to the same as the rising threshold if not configured. So traffic must fall below 50% to stop dropping. If you want hysteresis, configure a lower falling threshold (e.g., 40%).
Candidates assume the switch uses a single threshold with immediate recovery, but storm control uses two thresholds for stability.
Mistake
Storm control can be configured to limit all traffic, including unicast with known destinations.
Correct
Storm control only limits broadcast, multicast, and unknown unicast (flooded) traffic. Known unicast traffic is not affected.
The term 'storm' refers to flooded traffic; known unicast is delivered directly and not a storm source.
Mistake
The 'shutdown' action causes the port to be administratively down.
Correct
The 'shutdown' action puts the port into error-disabled state, not administratively down. It must be recovered via 'errdisable recovery cause storm-control' or manual 'shutdown/no shutdown'.
Candidates confuse 'shutdown' command with the storm control action; the action triggers errdisable, not admin down.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, storm control can be applied to trunk ports. It monitors the aggregate traffic on the trunk, including all VLANs. However, be cautious with thresholds because trunk ports carry more traffic. The feature works the same way as on access ports.
No, storm control does not drop STP BPDUs or other Layer 2 control frames. It only drops data-plane broadcast, multicast, and unknown unicast frames. Control traffic is always forwarded to the CPU.
Use the 'show storm-control [interface] [type]' command. The 'Current' column shows the current traffic level as a percentage of bandwidth (or pps). For example, 'Current: 25%' means 25% of the interface bandwidth is being used by that traffic type.
They are essentially the same feature. Cisco uses 'storm control' in IOS, while older documentation may refer to 'broadcast suppression'. The configuration commands are the same. Storm control is the modern term.
No, storm control is configured per interface, not per VLAN. It monitors the aggregate traffic on the interface regardless of VLAN. For per-VLAN control, you would need a different feature like VLAN-based QoS policing.
Both actions can be configured simultaneously. The switch will first drop traffic (if thresholds exceeded) and then take the shutdown action. The trap is sent as well. The order of configuration does not matter.
Use the 'no storm-control broadcast level', 'no storm-control multicast level', and 'no storm-control unicast level' commands. Alternatively, use 'default interface' to reset the interface to factory defaults.
You've just covered Storm Control Configuration — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?