Fortinet black logo

Administration Guide

Storm control

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:13233
Download PDF

Storm control

Storm control protects a LAN from disruption by traffic storms, which stem from mistakes in network configuration or denial-of-service attacks. A traffic storm, which can consist of broadcast, multicast, or unicast traffic, creates excessive traffic on the LAN and degrades network performance.

By default, storm control is disabled on a FortiSwitch unit. When enabled, it measures the data rate (in packets-per-second) for unknown unicast, unknown multicast, and broadcast traffic. You can enable and disable storm control for each of these traffic types individually. If the traffic rate for any of the types exceeds the configured threshold, the FortiSwitch unit drops the excess traffic.

By default, storm control configuration is global. Starting in FortiSwitchOS 6.2.0, you can configure storm control on a port level.

Starting in FortSwitchOS 6.4.3, you can configure the maximum burst size allowed by storm control. Using the CLI, you can select the burst-size level from 0 to 4 with the highest number for the highest maximum burst size allowed. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: The burst-size level cannot be controlled on a port level for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

Configuring system-wide storm control

If you set the rate to zero, the system drops all packets (for the enabled traffic types).

Using the GUI:
  1. Go to Switch > Storm Control.
  2. Select Restrict Traffic.
  3. Select Broadcast, Unknown Unicast, and Unknown Multicast as required.
  4. Select the action to take, either Drop Packets or Rate Limit.
  5. If you selected Rate Limit, enter the number of packets per second.
  6. Select Update to save the changes.
Using the CLI:

config switch storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-unicast {enable | disable}

set unknown-mcast {enable | disable}

end

Configuring port-level storm control

Using the GUI:
  1. Go to Switch > Port > Physical.
  2. Select a port and then select Edit.
  3. In the Storm Control area, select Configure Manually.
  4. Select one or more of the packet types: Broadcast, Unknown Multicast, and Unknown Unicast.
  5. Select the action to take, either Drop Packets or Rate Limit.
  6. If you selected Rate Limit, enter the number of packets per second.
  7. Select Update to save the changes.
Using the CLI:

config switch physical-port

edit <port_name>

set storm-control-mode override

config storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

end

Displaying the storm-control configuration

Use the following command to display the system-wide storm-control configuration:

get switch storm-control

Storm control

Storm control protects a LAN from disruption by traffic storms, which stem from mistakes in network configuration or denial-of-service attacks. A traffic storm, which can consist of broadcast, multicast, or unicast traffic, creates excessive traffic on the LAN and degrades network performance.

By default, storm control is disabled on a FortiSwitch unit. When enabled, it measures the data rate (in packets-per-second) for unknown unicast, unknown multicast, and broadcast traffic. You can enable and disable storm control for each of these traffic types individually. If the traffic rate for any of the types exceeds the configured threshold, the FortiSwitch unit drops the excess traffic.

By default, storm control configuration is global. Starting in FortiSwitchOS 6.2.0, you can configure storm control on a port level.

Starting in FortSwitchOS 6.4.3, you can configure the maximum burst size allowed by storm control. Using the CLI, you can select the burst-size level from 0 to 4 with the highest number for the highest maximum burst size allowed. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: The burst-size level cannot be controlled on a port level for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

Configuring system-wide storm control

If you set the rate to zero, the system drops all packets (for the enabled traffic types).

Using the GUI:
  1. Go to Switch > Storm Control.
  2. Select Restrict Traffic.
  3. Select Broadcast, Unknown Unicast, and Unknown Multicast as required.
  4. Select the action to take, either Drop Packets or Rate Limit.
  5. If you selected Rate Limit, enter the number of packets per second.
  6. Select Update to save the changes.
Using the CLI:

config switch storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-unicast {enable | disable}

set unknown-mcast {enable | disable}

end

Configuring port-level storm control

Using the GUI:
  1. Go to Switch > Port > Physical.
  2. Select a port and then select Edit.
  3. In the Storm Control area, select Configure Manually.
  4. Select one or more of the packet types: Broadcast, Unknown Multicast, and Unknown Unicast.
  5. Select the action to take, either Drop Packets or Rate Limit.
  6. If you selected Rate Limit, enter the number of packets per second.
  7. Select Update to save the changes.
Using the CLI:

config switch physical-port

edit <port_name>

set storm-control-mode override

config storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

end

Displaying the storm-control configuration

Use the following command to display the system-wide storm-control configuration:

get switch storm-control