Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

storm control


we have the following standard config of switch port. but frequently when users try to copy big files, or use ftp, prequently the port get's locked down. We would like to somehow protect our network, but would be safe to increase the level of storm controls?

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard root

switchport port-security

switchport port-security violation shutdown

switchport port-security maximum 1

switchport port-security aging time 1

switchport port-security aging type inactivity

speed auto

duplex auto

no cdp enable

no shut

storm-control broadcast level 65

storm-control multicast level 65

storm-control unicast level 85

storm-control action shutdown


Re: storm control

I would say that it was the storm-control unicast level 85 that was causing your problem. I would simply remove it, it is not very useful on an access port anyway.

Usually your trunk links have a higher bandwidth than each individual access port, so it it sufficient to let the bandwidth of the port limit the unicast traffic.

If you really want to limit the unicast traffic from the access port, then you might be able to use the QoS tools for that, depending on which switch you have.

Oh, and it is normally bad practice to put spanning-tree bpdufilter on your access ports unless you absolutely need to for some obscure reason. You are inviting your users to connect two ports together with a cross-cable and so bring down the whole network. (Althouth your storm-control will migitate that in your case.)

Kevin Dorrell


New Member

Re: storm control

Hi Kevin,

thanks a lot for your recommendation!

btw, this is the config which we are planning on deploying for Trunk Ports, could you also comment on there?

switchport trunk encapsulation dot1q

switchport mode trunk

cdp enable

no shut

switchport block multicast

switchport block unicast




Re: storm control

Why would you like to block unicast and multicast packets from being flooded?

switchport block multicast

switchport block unicast

Just curiousity.


Re: storm control


I noticed there is no switchport access vlan in you config. Was this left out in purpose for the post, and do you set them in real life, or are you using vlan 1 for your access-ports. If the last is true, it is stongly recommended to not use vlan 1.



CreatePlease to create content