Cisco Catalyst Switch Question

I have two locations where we have a number of individual offices on a flat network connected with Cisco 2924 switches. Obviously if one person gets a worm or a virus, the network floods with traffic, and everyone suffers.

In Cisco switches, there is a function for storm control. I can set rising trigger and falling release thresholds for Broadcast Flood, Unicast Flood, and Multicast Flood pps traffic.

Cisco 2924 default PPS settings are Rising/Falling
- Broadcast Storm: 500/250
- Unicast Storm: 5000/2500
- Multicast Storm: 2500/1250

I am assuming that the default values are set for a 100M network which in our case won’t work because the Wireless Link is 3M to the building. By the time the thresholds are reached the network is flooded with more than 3M of traffic.

I think want the port to act at 1.5M. A little investigative Googling indicated that 1000pps @ 551 byte packets is equal to about 4Mbps. We want to limit a customer to about 2Mbps or about 500pps max. So using the values above, it seems that will translate to:

- Broadcast Storm: 50/25 (10% of Unicast)
- Unicast Storm: 500/250
- Multicast Storm: 250/125 (50% of Unicast)

Anyone care to comment? Corrections? Suggestions?

Thanks

Interesting feature…

I’d be curious to see how that works. Does it limit continuously, or all at once when it meets a threshold? I know I would be pissed if I was playing Warcraft with a torrent running in the background, and the switch got triggered and I was disconnected. If its an all or nothing limiter, I wouldn’t want to be on it.

Have you ever looked into NBAR? I’m reading a Cisco QoS book currently… it seems you might be able to use this feature to put a low priority on unknown traffic types. That way legit bandwidth hogs aren’t punished.

It shuts off the port until the traffic flow drops below the Falling Threshold. The idea being that if they have a worm, the connection gets very erratic causing a telephone call.

This is strictly for business customers so what we are really after is broadcast storms caused by viruses and worms.

I’ll look into NBAR, thanks.



Legit BW Hogs???