storm control

Unanswered Question
Oct 13th, 2007
User Badges:


we have the following standard config of switch port. but frequently when users try to copy big files, or use ftp, prequently the port get's locked down. We would like to somehow protect our network, but would be safe to increase the level of storm controls?

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard root

switchport port-security

switchport port-security violation shutdown

switchport port-security maximum 1

switchport port-security aging time 1

switchport port-security aging type inactivity

speed auto

duplex auto

no cdp enable

no shut

storm-control broadcast level 65

storm-control multicast level 65

storm-control unicast level 85

storm-control action shutdown

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Kevin Dorrell Sat, 10/13/2007 - 17:40
User Badges:
  • Green, 3000 points or more

I would say that it was the storm-control unicast level 85 that was causing your problem. I would simply remove it, it is not very useful on an access port anyway.

Usually your trunk links have a higher bandwidth than each individual access port, so it it sufficient to let the bandwidth of the port limit the unicast traffic.

If you really want to limit the unicast traffic from the access port, then you might be able to use the QoS tools for that, depending on which switch you have.

Oh, and it is normally bad practice to put spanning-tree bpdufilter on your access ports unless you absolutely need to for some obscure reason. You are inviting your users to connect two ports together with a cross-cable and so bring down the whole network. (Althouth your storm-control will migitate that in your case.)

Kevin Dorrell


jorge.s Mon, 10/15/2007 - 00:20
User Badges:

Hi Kevin,

thanks a lot for your recommendation!

btw, this is the config which we are planning on deploying for Trunk Ports, could you also comment on there?

switchport trunk encapsulation dot1q

switchport mode trunk

cdp enable

no shut

switchport block multicast

switchport block unicast



l.mourits Mon, 10/15/2007 - 03:46
User Badges:
  • Silver, 250 points or more

Why would you like to block unicast and multicast packets from being flooded?

switchport block multicast

switchport block unicast

Just curiousity.

l.mourits Mon, 10/15/2007 - 03:49
User Badges:
  • Silver, 250 points or more


I noticed there is no switchport access vlan in you config. Was this left out in purpose for the post, and do you set them in real life, or are you using vlan 1 for your access-ports. If the last is true, it is stongly recommended to not use vlan 1.




This Discussion