Leaflet
90
OL-11615-01
Traffic storm control (traffic suppression) is a feature that can be configured on selected ports to control
packet storms. We recommend that you configure traffic storm control on ports where traffic storms can
enter the network, typically the access ports. When deploying traffic control. it is important to
understand the platform limitations. Traffic storm control in Catalyst 6500 Series switches can limit
unicast, multicast, and broadcast packet storms, while in Catalyst 4500, storm control can limit multicast
and broadcast packet storms only.
DHCP snooping is a highly recommended security feature for DHCP environments, and it is required by
IP Source Guard and Dynamic ARP Inspection. DHCP snooping can intercept DHCP messages crossing
a switch and can block bogus DHCP offers. When configuring DHCP, ports are set as trusted or
untrusted. Typically, the trusted ports are used to reach DHCP servers or relay agents. Links and trunks
between switches should also be set as trusted ports, while ports connecting to clients, workstations, and
servers should be configured as untrusted.
IP source guard is a feature that relies on DHCP snooping, and that is used to mitigate IP address
spoofing. IP source guard mitigates spoofing by allowing only the IP addresses that are obtained through
DHCP snooping on a particular port. Typically, IP source guard should be enabled on ports connecting
to non-switching devices (such as workstations and servers). IP Source Guard can also be enabled on
trunks. However, if it is enabled on a trunk port with a large number of VLANs that have DHCP snooping
enabled, you might run out of ACL hardware resources, and some packets might be switched in software
instead.
Dynamic ARP Inspection (DAI) is another feature that uses DHCP snooping. DAI is a useful tool that
helps prevent ARP poisoning and other ARP-based attacks. DAI prevents these attacks by intercepting
all ARP requests and responses, and by verifying their authenticity before updating the switch's local
ARP cache or forwarding the packets to the intended destinations. To validate ARP packets, DAI uses
the binding table dynamically populated by DHCP snooping. DAI also allows the configuration of static
entries to support systems with fixed addresses and which do not use DHCP for their address
configuration. In a typical DAI configuration, ports connecting switches should be configured as trusted,
while ports connecting to clients and severs should be left as untrusted, which is the default setting.
It should be noted that because DAI relies on the information learned by DHCP snooping, ports should
have the same trust configuration for both features. For example, a port configured as trusted with DIA
needs to also be configured as trusted for DHCP snooping. Otherwise, all ARP requests and responses
on that port will be blocked unless an ARP ACL entry is configured to allow systems to be reachable
throughout that port.
Catalyst 6500 Hardware Rate Limiters and CoPP
As described in Additional Catalyst 6500 Infrastructure Protection Features, page 67 the Catalyst 6500
Series switches implement Control Plane Policing (CoPP) and specific hardware-based rate limiters that
help protect the switch from direct infrastructure attacks and collateral damage.
Because both CoPP and hardware-based rate limiters help protect the switch itself, and because they
operate in a similar fashion, they could be wrongly perceived as overlapping technologies, rather than
being complementary technologies. On one hand, CoPP provides a more flexible and granular policy
definition that can handle a wide variety of attacks, while each hardware-based rate limiter can cover
only a limited set of specific DoS scenarios. There are certain types of traffic that CoPP does not support
in hardware, and for which the hardware-based rate limiters provide better support. For example, CoPP
processes multicast and broadcast traffic in software, while there are hardware-based rate limiters that
handle that sort of traffic. Other packet types that CoPP does not support in hardware include packets
with TTL equal to 1, packets that fail the MTU check, packets with IP options, and IP packets with
errors. There are also other types of traffic, such as ARP, that CoPP cannot handle in either software or
hardware. ARP rate limiting can only be done with hardware-based rate limiters because CoPP cannot
process ARP traffic. To rate limit ARP traffic you should use the ARP policing rate limiter.