Title

The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports. (Cat III impact)

Discussion

A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

Check Content

Review the switch configuration to verify that storm control is enabled on all host-facing interfaces as shown in the example below: APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45 APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36 APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38 If storm control is not enabled at a minimum for broadcast traffic, this is a finding.

Fix Text

Configure storm control for each host-facing interface: SW1(config)#int range g0/2 - 8 SW1(config-if-range)#storm-control unicast bps 62000000 SW1(config-if-range)#storm-control broadcast level bps 20000000 storm-control [unicast|multicast|broadcast] level <percentage> [burst-rate <percentage>] storm-control [unicast|multicast|broadcast] pps <packet-per-second> [burst-rate <packet-per-second>] Example: APIC1(config)# leaf 102 APIC1(config-leaf)# interface ethernet 1/19 APIC1(config-leaf-if)# storm-control unicast level 35 burst-rate 45 APIC1(config-leaf-if)# storm-control broadcast level 36 burst-rate 36 APIC1(config-leaf-if)# storm-control broadcast level 37 burst-rate 38

Additional Identifiers

Rule ID: SV-272038r1064441_rule

Vulnerability ID: V-272038

Group Title: SRG-NET-000512-L2S-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.