The Cisco ACI layer 2 switch must have Storm Control configured on all host-facing switch ports.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-272038	SRG-NET-000512-L2S-000001	CACI-L2-000010	SV-272038r1168256_rule	2025-12-11	1

Description
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

Description

A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.

ℹ️ Check
Review the switch configuration to verify storm control is enabled on all host-facing interfaces as shown in the example below: 1. To verify Storm Control settings, navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Review each Storm Control policy. 3. Navigate to the Application Profile containing the EPGs to be protected. 4. Select each EPG, then go to the Policies tab to verify that a storm control policy configured to protect broadcast, at a minimum, has been applied. If storm control is not enabled for host-facing interfaces for broadcast traffic at a minimum, this is a finding.

ℹ️ Check

Review the switch configuration to verify storm control is enabled on all host-facing interfaces as shown in the example below: 1. To verify Storm Control settings, navigate to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >>Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. 2. Review each Storm Control policy. 3. Navigate to the Application Profile containing the EPGs to be protected. 4. Select each EPG, then go to the Policies tab to verify that a storm control policy configured to protect broadcast, at a minimum, has been applied. If storm control is not enabled for host-facing interfaces for broadcast traffic at a minimum, this is a finding.

✔️ Fix
Configure one or more storm control policies for all host-facing interfaces and external interfaces and apply the policy to an ESG. Enable monitoring to track storm control events. Path to use storm control setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the storm control is not on the appropriate interface, add it by navigating to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}. Note: The acceptable range is 10000000-1000000000 for a gigabit Ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.

✔️ Fix

Configure one or more storm control policies for all host-facing interfaces and external interfaces and apply the policy to an ESG. Enable monitoring to track storm control events. Path to use storm control setting: Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Policy Groups >> (Leaf Access port, PC interface or VPC interface) >> {{your_policy_name}} >> Advance Policies. If the storm control is not on the appropriate interface, add it by navigating to Fabric >> Access Policies >> Interfaces >> Leaf Interfaces >> Profiles >> {{your_profile}}. Note: The acceptable range is 10000000-1000000000 for a gigabit Ethernet interface, and 100000000-10000000000 for a ten gigabit interface. Storm control is not supported on most FastEthernet interfaces.