Broadcast Storm Control

Similar Messages

• Broadcast Storm Control - Mac-address flooding

  Hi Friends,
  We would like to configure broadcast storm control in our LAN to detect/avoid mac-address flooding. What is the best way and Can I know how to decide the raising threshold & falling threshold values ?.. Please suggest.
  Regards,
  S.Tamilvanan

  Hello,
  the best way is to monitor your network fir 5-6 days in order to find out the normal pattern of broadcast traffic. Then based on results form this monitoring process you can set the thresholds of broadcast traffic.

• Storm Control on Port-Channel Interfaces (6500 platform)

  Hello.
  I cannot find it anywhere in the documentation for the Cisco 6500 platform (IOS). The question is this: When calculating the percentage of broadcast passing through a Port-Channel interface, which total bandwidth figure is used by the switch? For example:
  a. If we have a bundle of 4 Gig interfaces in a PortChannel with Storm-Control applied, the threshold will be calculated over 4Gb/s or 1Gb/s?
  b. If the same PortChannel for some reason loses 2 of the uplinks in the Bundle, will the calculation be made over 4Gb/s, 2Gb/s or 1Gb/s?
  Thanks!

  Hi Leo,
  I can't find any reference to this at the moment, but my thoughts are that it will be based on a single member port of the port-channel.
  Remember that a port-channel is logically a single link and so a broadcast is only sent on one of the links of the port-channel and not all of them. The decision as to which link is used will be the same as for any other frame i.e., the broadcast address is used within the hashing calculation to choose the physical port.
  If the storm-control values are determined based upon the aggregate bandwidth, and changes as links are added/removed from the agregate, then the suppression threshold values for link carrying the broadcasts is never going to be correct.
  Regards

• OID of storm control trap

  Hello everyone,
  I have a question about Strom Control trap.
  I configured "storm-control action trap" on cat2960-24
  When broadcast storm occurred, my snmp server received the trap whose OID is "1.3.6.1.4.1.9.9.362.0.0.1" from cat2960-24.
  What is this OID?
  I think that ciscoPortStormControlMIBNotifs has two object.
  One is cpscEvent(1.3.6.1.4.1.9.9.362.0.1.1) and the other is cpscEventRev1(1.3.6.1.4.1.9.9.362.0.2)
  I don't find this OID(1.3.6.1.4.1.9.9.362.0.0.1) in SNMP object Navigator
  My cat3560G-24 which configured similarly sent the correct trap(1.3.6.1.4.1.9.9.362.0.2)
  Why my cat2950 sent undefined trap?
  best regards.
  Yusuke Matsumoto

  hello
  I receive also the trap 1.3.6.1.4.1.9.9.362.0.0.1 but I could not find the appropriate mib
  Is someone could give an help
  best regard
  Serge

• Loop - broadcast storm in network

  Good day to you all, i'm with some problem and i can't seem to find the right solution.
  at our company we have arround 300 2960 switches, also in some areas of the factory they are using 3com hubs or other hub devices.
  i am trying to take them all out, but the factory is to big and there are more then 100 on places i dont know.
  My problem is that many times we have a broadcast storm or loop in the network.
  users just put in 2 cables in a hub, or the cisco phone both cables in the hub.
  the hub is connected to a 2960 switch.
  My port configuration is:
  interface FastEthernet0/3
  switchport access vlan 27
  switchport mode access
  switchport voice vlan 244
  spanning-tree portfast
  spanning-tree bpduguard enable
  end
  the STP settings global are:
  spanning-tree mode pvst
  spanning-tree loopguard default
  spanning-tree portfast bpduguard default
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  in my opinion the port that have the 3com connected should go in to err-disable when a loop is created because it receive BPDU packets.
  unfortuinatly this does not happens and my whole network goes down.
  the logging in the switch only indentify that there is mac flapping.
  Mar  1 07:28:02: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:28:38: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:28:42: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:29:03: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:29:06: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:29:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:29:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Does someone have an idea to prefent this from happening ??
  Thanks a lot!

  Hello
  My question is should i only set on the interface "storm-control broadcast level ??"
  or do i also need to set multicast and unicast ? - All depends on what traffic you have traversing your links you need to be sure you dont set the levels to low has to prohibit legitimate IGP/broadcast/mulitcast/unicast traffic this includes any bespoke application traffic that utilzies any of the above
  and why is the 3 to 5 %, so it will drop the storm when reach 95 % on interface ? - 5% of an 100mb link would be reached at 5 mb utilization of whatever traffic you define, the higher rate the less effective stom controll is.
  To protect against layer 1 devices such are hubs and say access ports with attached switches(managed/unmanaged) you can also apply port-security running along side your current stp bpduguard.
  switchport nonegotiate ( disables DTP)
  switchport port-security ( enables port security)
  switchport port-security aging type inactivity ( ageing of mac- address)
  switchport port-security aging time xx  ( mins the mac address will age out)
  Switchport port-security violation restrict| shutdown ( violation action of port-security)
  Switchport port-security max xx ( number of mac- address allowed on port)
  res
  Paul
  Please don't forget to rate any posts that have been helpful.
  Thanks.

• Broadcast storms

  Hello,
  I currently have 4 HP 2610 switches alongside a Cisco SG 300 28 Port POE.  I have a few laptops that when I look on the old 2610's I can plainly see they are pushing out what may be excessive traffic (AKA broadcast storms) from the login page on the GUI...I am investigating this with the laptops in question by updating drivers, checking for malware etc..hopefully the nics aren't bad as that would be a board replacement.  Anyways, if these laptops were on the Cisco is there a area that I can plainly see what ports or Macs are pushing out what may be a broadcast storm.  Under logs I see I have a flash log etc...but where would I see who is actually in plain english pushing bad traffic similar to the old HP switches?  The reason why I ask is I am retiring the old HP's over time and I want to be "in the know" how to see issues like this without having to go through alot of hoops.
  Don

  Hi Don
  I know HP 2610 switches and thus remember about what messages are you talking about. Neither of Cisco switches (Small business or Enterprise) provides same kind of output in regards identification of unexpected traffic pattern on ports.
  But on the other side they have options how to avoid and identify loops in switched networks. This means that instead of receiving "Excessive broadcasts received on the port X" you will get something like "STP Loopback Detection." in case there is really switching loop in network. Moreover with releasing firmware 1.4.0.88 new feature was introduced for avoiding loops in network: Loopback detection – Detects network loops using non-BPDU frames, and usually used where spanning tree cannot be used.
  There is also Storm control feature on SG300 switches, but it is like prevention mechanism instead. More here.
  I.e. in another words, Small business switches have resources and options how to detect switching loops with blocking of switch ports from where storms are coming from.
  One more thing: "Excessive broadcasts received on the port X" on HP not always pointed to broadcast storms, but yes is usually caused by a network topology loop, but can also be due to a malfunctioning device, NIC, NIC driver, or software application.
  hope this helps..

• Storm-Control Nexus Environment

  Hello,
  we want to configure storm-control in our network but we don´t understand the feature in all it´s details.
  i understand that the switch can differenitate between broadcast/multicast and unicast by the I/G-Bit (if it 1 or 0). but how does a Nexus 5500 or nexus 7000 differentiate between broadcast and multicast? if the switch only checks the I/G-bit he is not able to determine if broadcast or multicast?
  i couldn´t find anything about it in th documentation. can anybody explain the difference?
  thx

  Hello,
  we want to configure storm-control in our network but we don´t understand the feature in all it´s details.
  i understand that the switch can differenitate between broadcast/multicast and unicast by the I/G-Bit (if it 1 or 0). but how does a Nexus 5500 or nexus 7000 differentiate between broadcast and multicast? if the switch only checks the I/G-bit he is not able to determine if broadcast or multicast?
  i couldn´t find anything about it in th documentation. can anybody explain the difference?
  thx

• Storm Control

  Hi,
  What are the best values when configuring storm control on an interface (broadcast, multicast and unicast.
  Thanks
  reza

  hi,
  so in my scenario, it is not using multicast and broadcast for video / music streaming, right? as we only shared the network drive to access, and play the video and music.
  1. so it will not influence my m/c or b/c percentage, right?
  2. pls give me guideline, and to set m/c or b/c is good to help to prevent when there is a lot traffic such as broadcast storm/virus spreading, right?

• Broadcast storms applicable on layer 3 switches?

  Dear all,
  Me and my collegue were wondering about the following on a cisco 3750 x layer 3 switch.
  Lets assume we configure the 3750 without vlans so we create several networks on the 3750. For example fa 0/1 has as network 10.10.10.0/24 with 10.10.10.1 as it being the default gateway. Fa 0/2 has as network 10.10.11.0/24 with 10.10.11.1 as it being the default gateway.
  The question is if a broadcast storm rages on network 10.10.10.0/24, would 10.10.10.0/24 only be affected by the broadcast storm or will network 10.10.11.0/24 also be affected due the broadcast?
  If we assume the same settings but we would utilize vlans then anetwork is definitely not being affected by a broadcast storm happening on an other network right?
  Thanks in advance for your help.
  kind regards

  Hi,
  When you configure an L3 port on your 3750
  int f0/1
  no switchport
  ip add 10.10.10.1 255.255.255.0
  no shut
  int f0/2
  no switchport
  ip add 10.10.11.1 255.255.255.0
  no shut
  The key is NO SWITCHPORT
  This takes the port out of L2 configuration therefore
  it does not belong to any VLAN and does not operate like an L2 port
  with regards to broadcast etc.
  Have a look at this link from a 3750 config guide
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swint.html#wpmkr2208885
  Hope this helps
  Regards
  Alex

• Intel i217-LM NIC Causes Broadcast storm and High CPU

  Wanted to post this here to help others that may be experiencing issues with broadcasts.   
  If you have PC's with the Intel i217-LM NIC if you don't have the latest driver from Intel the NIC will cause an IPV6 broadcast storm when the computer goes into sleep/hibernate.  You have to have at least two PC's on your network in sleep/hibernate mode.  It causes the same affect as a network loop.  In my network it would cause the MDF CPU to go to 100% and basically shut the network down.  
  We have Lenovo M93 desktops that have this NIC and I know that there are other PC's that have his same NIC and experience the same problem.
  When the broadcast storm is happening you can issue the command 
  show interfaces | include is up|line|broadcast on your MDF switch to find which interfaces have high broadcasts.  You may have to trace it through your uplinks to your IDF's.  You can then shut those interfaces to stop the broadcast storm.
  Your long term solution will be to get the latest NIC driver from Intel and update your PC's.

  It's connected IPV4 but because of the faulty NIC driver it starts broadcasting IPV6 when in sleep/hibernate mode.
  https://supportforums.cisco.com/discussion/12291431/ipv6-broadcast-storm-caused-hp-eliteone-800-intel-i217-lm-nic-how-find-hosts
  https://forums.lenovo.com/t5/A-M-and-Edge-Series-ThinkCentre/M83-and-M93p-ipv6-storms-intel-i217-LM-NIC/td-p/1600686

• I get a network broadcast storm with Yosemite

  I had poor internet speed and loss of packets.
  BT and AAISP could not fault the external line.
  It emerged the problem happens only when I use both  wifi and wired ethernet (or indeed wifi only) on my Yosemite Macbook Pro.
  AAISP said it was likely a 'broadcast storm'.
  This problem has not happened, or was not significant,  with previous OS X.
  I am using WPA/WPA2 Personal to a Technicolor TG582N router.

  Disable all Firewalls & Anti-Virus software...try again.

• FWSM with contexts - Broadcast storm impact CPU

  Hi,
  we have a FWSM (4.1(5)) configured with several contexts.
  Last day we had a broadcast storm in one VLAN connected to one FWSM context and all contexts were impacted with loss of service.
  We could check that CPU in impacted context went to 50 - 60 % but in fact service allocated in other contexts were impacted.
  We have Resource Class implemented, but there is nothing about CPU usage (only connections, xlates, .... ).
  Any idea about how to protect contexts against a broadcast storm or high CPU usage in one context ?
  Thanks a lot
  Felipe

  Hi Felipe,
  Unfortunately, the FWSM's CPU is not virtualized across contexts like the conn tables, xlate tables, etc are. High CPU caused by traffic in one context will indeed affect traffic on other contexts on the same physical firewall, which is a limitation of the architecture.
  -Mike

• VPLS level Broadcast storm

  If we have broadcast storm in the VPLS
  will it be CPU processed,I mean to say like in a normal L2 switch scenario
  whenever there is a brodcast storm the cpu of L2 switch will go high but in the
  case of VPLS lets say in 7600 will the cpu also spike.

  The SUP of the 7600 has two CPU. Basically one for the L3 activities (RP CPU) and one for L2 activities (SP CPU).
  Without L3 interface, broadcast are not punted and flooded in hardware. There are special cases where some specific broadcast packets may be punted to the SP CPU (we are only L2 here) like if it's an IGMP packets and IGMP snooping is enabled.
  So a storm of such packets could overload the CPU.
  HTH
  Laurent.

• Broadcast Storm

  We host an annual LAN gaming event with about 3500 BYOC spots.  Last year we suffered a massive broadcast storm.  So this year we made each row its own subnet to prevent broadcasts from affecting the rest of the LAN.  This had an unintended side effect.  Many people hosting games on their systems were unable to announce their presence to the whole LAN, just their subnet.  It angered quite a few gamers.  What are some options to prevent broadcasts storms but still allow genuine game broadcasts?

  BPDU guard is often used to prevent end systems from introducing switches or hubs that could potenatilly casue a loop (and broadcast storm). Reference.

• 3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

  Hi forum,
  we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
  my questions:
  1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
  2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
  3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
  4) is there a way on the design side to effectly counter this problem?
  Kind regards,
  paul

  It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
  As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
  P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.