Broadcast Storm
We host an annual LAN gaming event with about 3500 BYOC spots. Last year we suffered a massive broadcast storm. So this year we made each row its own subnet to prevent broadcasts from affecting the rest of the LAN. This had an unintended side effect. Many people hosting games on their systems were unable to announce their presence to the whole LAN, just their subnet. It angered quite a few gamers. What are some options to prevent broadcasts storms but still allow genuine game broadcasts?
BPDU guard is often used to prevent end systems from introducing switches or hubs that could potenatilly casue a loop (and broadcast storm). Reference.
Similar Messages
-
Broadcast storms applicable on layer 3 switches?
Dear all,
Me and my collegue were wondering about the following on a cisco 3750 x layer 3 switch.
Lets assume we configure the 3750 without vlans so we create several networks on the 3750. For example fa 0/1 has as network 10.10.10.0/24 with 10.10.10.1 as it being the default gateway. Fa 0/2 has as network 10.10.11.0/24 with 10.10.11.1 as it being the default gateway.
The question is if a broadcast storm rages on network 10.10.10.0/24, would 10.10.10.0/24 only be affected by the broadcast storm or will network 10.10.11.0/24 also be affected due the broadcast?
If we assume the same settings but we would utilize vlans then anetwork is definitely not being affected by a broadcast storm happening on an other network right?
Thanks in advance for your help.
kind regardsHi,
When you configure an L3 port on your 3750
int f0/1
no switchport
ip add 10.10.10.1 255.255.255.0
no shut
int f0/2
no switchport
ip add 10.10.11.1 255.255.255.0
no shut
The key is NO SWITCHPORT
This takes the port out of L2 configuration therefore
it does not belong to any VLAN and does not operate like an L2 port
with regards to broadcast etc.
Have a look at this link from a 3750 config guide
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swint.html#wpmkr2208885
Hope this helps
Regards
Alex -
Intel i217-LM NIC Causes Broadcast storm and High CPU
Wanted to post this here to help others that may be experiencing issues with broadcasts.
If you have PC's with the Intel i217-LM NIC if you don't have the latest driver from Intel the NIC will cause an IPV6 broadcast storm when the computer goes into sleep/hibernate. You have to have at least two PC's on your network in sleep/hibernate mode. It causes the same affect as a network loop. In my network it would cause the MDF CPU to go to 100% and basically shut the network down.
We have Lenovo M93 desktops that have this NIC and I know that there are other PC's that have his same NIC and experience the same problem.
When the broadcast storm is happening you can issue the command
show interfaces | include is up|line|broadcast on your MDF switch to find which interfaces have high broadcasts. You may have to trace it through your uplinks to your IDF's. You can then shut those interfaces to stop the broadcast storm.
Your long term solution will be to get the latest NIC driver from Intel and update your PC's.It's connected IPV4 but because of the faulty NIC driver it starts broadcasting IPV6 when in sleep/hibernate mode.
https://supportforums.cisco.com/discussion/12291431/ipv6-broadcast-storm-caused-hp-eliteone-800-intel-i217-lm-nic-how-find-hosts
https://forums.lenovo.com/t5/A-M-and-Edge-Series-ThinkCentre/M83-and-M93p-ipv6-storms-intel-i217-LM-NIC/td-p/1600686 -
I get a network broadcast storm with Yosemite
I had poor internet speed and loss of packets.
BT and AAISP could not fault the external line.
It emerged the problem happens only when I use both wifi and wired ethernet (or indeed wifi only) on my Yosemite Macbook Pro.
AAISP said it was likely a 'broadcast storm'.
This problem has not happened, or was not significant, with previous OS X.
I am using WPA/WPA2 Personal to a Technicolor TG582N router.Disable all Firewalls & Anti-Virus software...try again.
-
FWSM with contexts - Broadcast storm impact CPU
Hi,
we have a FWSM (4.1(5)) configured with several contexts.
Last day we had a broadcast storm in one VLAN connected to one FWSM context and all contexts were impacted with loss of service.
We could check that CPU in impacted context went to 50 - 60 % but in fact service allocated in other contexts were impacted.
We have Resource Class implemented, but there is nothing about CPU usage (only connections, xlates, .... ).
Any idea about how to protect contexts against a broadcast storm or high CPU usage in one context ?
Thanks a lot
FelipeHi Felipe,
Unfortunately, the FWSM's CPU is not virtualized across contexts like the conn tables, xlate tables, etc are. High CPU caused by traffic in one context will indeed affect traffic on other contexts on the same physical firewall, which is a limitation of the architecture.
-Mike -
If we have broadcast storm in the VPLS
will it be CPU processed,I mean to say like in a normal L2 switch scenario
whenever there is a brodcast storm the cpu of L2 switch will go high but in the
case of VPLS lets say in 7600 will the cpu also spike.The SUP of the 7600 has two CPU. Basically one for the L3 activities (RP CPU) and one for L2 activities (SP CPU).
Without L3 interface, broadcast are not punted and flooded in hardware. There are special cases where some specific broadcast packets may be punted to the SP CPU (we are only L2 here) like if it's an IGMP packets and IGMP snooping is enabled.
So a storm of such packets could overload the CPU.
HTH
Laurent. -
Loop - broadcast storm in network
Good day to you all, i'm with some problem and i can't seem to find the right solution.
at our company we have arround 300 2960 switches, also in some areas of the factory they are using 3com hubs or other hub devices.
i am trying to take them all out, but the factory is to big and there are more then 100 on places i dont know.
My problem is that many times we have a broadcast storm or loop in the network.
users just put in 2 cables in a hub, or the cisco phone both cables in the hub.
the hub is connected to a 2960 switch.
My port configuration is:
interface FastEthernet0/3
switchport access vlan 27
switchport mode access
switchport voice vlan 244
spanning-tree portfast
spanning-tree bpduguard enable
end
the STP settings global are:
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
in my opinion the port that have the 3com connected should go in to err-disable when a loop is created because it receive BPDU packets.
unfortuinatly this does not happens and my whole network goes down.
the logging in the switch only indentify that there is mac flapping.
Mar 1 07:28:02: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:28:38: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:28:42: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:29:03: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:29:06: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:29:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:29:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Does someone have an idea to prefent this from happening ??
Thanks a lot!Hello
My question is should i only set on the interface "storm-control broadcast level ??"
or do i also need to set multicast and unicast ? - All depends on what traffic you have traversing your links you need to be sure you dont set the levels to low has to prohibit legitimate IGP/broadcast/mulitcast/unicast traffic this includes any bespoke application traffic that utilzies any of the above
and why is the 3 to 5 %, so it will drop the storm when reach 95 % on interface ? - 5% of an 100mb link would be reached at 5 mb utilization of whatever traffic you define, the higher rate the less effective stom controll is.
To protect against layer 1 devices such are hubs and say access ports with attached switches(managed/unmanaged) you can also apply port-security running along side your current stp bpduguard.
switchport nonegotiate ( disables DTP)
switchport port-security ( enables port security)
switchport port-security aging type inactivity ( ageing of mac- address)
switchport port-security aging time xx ( mins the mac address will age out)
Switchport port-security violation restrict| shutdown ( violation action of port-security)
Switchport port-security max xx ( number of mac- address allowed on port)
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks. -
Hi everybody,
Im suspected about broadcast storm control feature on switch. Could anyone please advice me?
1. When the broadcast storm control is triggered, can normal data packets (not broadcast packets) pass the switch?
2. If the network looping is occurred at unmanaged switch that doesnt support spanning tree protocol and it connects to the managed switch that broadcast storm control is turned on, does it help this issue?
Managed switch
|
|
Unmanaged switch
||
\/<--- network looping
Thanks for advance,
Nitass1. Unicast packets and multicast packets are not affected when u enable broadcast storm control. Multicast packets will be affected only if you enable multicast storm control on the switchport.
2. I have no experience in a setup such as this but the behavior of the storm-control broadcast level command suggests that the switch port will drop all broadcasts headed through the port (in both directions) for a specified period of time.
This however, still does not stop the source of the broadcast (i.e. the multiple links running to the un managed switch) so I would presume that the broadcasts might die down for a small period of time but they will resurface as the unmanaged switch would continue generating broadcast packets.
Thus the port on the managed switch would come back to normal state, only to go back into broadcast storm control state and stop all broadcasts all over again.
HTH
Please rate posts that help.
Regards
Arvind -
Broadcast Storm Control - Mac-address flooding
Hi Friends,
We would like to configure broadcast storm control in our LAN to detect/avoid mac-address flooding. What is the best way and Can I know how to decide the raising threshold & falling threshold values ?.. Please suggest.
Regards,
S.TamilvananHello,
the best way is to monitor your network fir 5-6 days in order to find out the normal pattern of broadcast traffic. Then based on results form this monitoring process you can set the thresholds of broadcast traffic. -
Hello,
I currently have 4 HP 2610 switches alongside a Cisco SG 300 28 Port POE. I have a few laptops that when I look on the old 2610's I can plainly see they are pushing out what may be excessive traffic (AKA broadcast storms) from the login page on the GUI...I am investigating this with the laptops in question by updating drivers, checking for malware etc..hopefully the nics aren't bad as that would be a board replacement. Anyways, if these laptops were on the Cisco is there a area that I can plainly see what ports or Macs are pushing out what may be a broadcast storm. Under logs I see I have a flash log etc...but where would I see who is actually in plain english pushing bad traffic similar to the old HP switches? The reason why I ask is I am retiring the old HP's over time and I want to be "in the know" how to see issues like this without having to go through alot of hoops.
DonHi Don
I know HP 2610 switches and thus remember about what messages are you talking about. Neither of Cisco switches (Small business or Enterprise) provides same kind of output in regards identification of unexpected traffic pattern on ports.
But on the other side they have options how to avoid and identify loops in switched networks. This means that instead of receiving "Excessive broadcasts received on the port X" you will get something like "STP Loopback Detection." in case there is really switching loop in network. Moreover with releasing firmware 1.4.0.88 new feature was introduced for avoiding loops in network: Loopback detection – Detects network loops using non-BPDU frames, and usually used where spanning tree cannot be used.
There is also Storm control feature on SG300 switches, but it is like prevention mechanism instead. More here.
I.e. in another words, Small business switches have resources and options how to detect switching loops with blocking of switch ports from where storms are coming from.
One more thing: "Excessive broadcasts received on the port X" on HP not always pointed to broadcast storms, but yes is usually caused by a network topology loop, but can also be due to a malfunctioning device, NIC, NIC driver, or software application.
hope this helps.. -
3com and cisco switches (802.1q)vlan integration problem - broadcast storm?
Hi forum,
we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
my questions:
1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
4) is there a way on the design side to effectly counter this problem?
Kind regards,
paulIt sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do. -
Recently our entire 1000 node network was crippled by the repeated use of the ARD to push software to multiple clients (one at a time was fine) In reading online it appears to me that ARD is designed to deliver UDP datagrams to the endstations by means on sending them as Broadcast packets meaning all ports on all switches are immediately flooded by the traffic that is really only important to the 2 or more clients being pushed to. If this app is designed this way, what on earth is Apple thinking? Our host Mac is connected to a Gig port and the rate at which broadcasts were being sent was off the scale until the broadcast storm throttles on the switches kicked in but by that time, and even at the throttled rate, the harm was widespread. Can someone explain to me why any app would use the process of a broadcast to deliver content? Is something misconfigured?
Thank youI think you can reduce the impact of the storm on a switch by setting a maximum number on UDP broadcast packets. Unfortunately, with UDP packets there is no error correction, so packets that arrive after the maximum has been met are dropped, which will cause your Remote Desktop session to fail.
Another point to consider is that it does not matter what version your servers or clients are running as far as OS X. You can run the Remote Desktop Application from a workstation or server, as long as it meets the OS X requirements. The broadcast packets are spawned from the application, not the underlying OS.
So far, no word from Apple on this. We have been limping along, having to manually run our updates one computer at a time. We support about 100 Macs at our company, and have updates for various applications about once a month.
Maybe Santa is just late bringing me what I wished for? -
Will this cause a broadcast storm/loop?
I have 3 2960g switches that each have about 40 devices (pc's, printers, etc..) attached to them. Each of these 2960 switches has one port connected to a port on a "core" switch, which is a 3950g. The 3950 has 3 switches and all of our servers (12) conected to it's ports. The network seems to be running alright, however most, if not all, of the port lights on ALL switches blink wildly(at least I consider it "wildly"). Am I doing this wrong? Is there a better way to connect all these switches?
Also, this configuration is for our first floor. The second floor has the exact same configuration, and the two 3950's (one upstairs, one downstairs) arec connected via fiber.
Thanks for any help.Hi Scott,
I think I like yours comments and leolaohoo reaction .
We don't know your Layer 3 setup, but broadcasts will stay in a broadcast domain. A broadcast will cause activity LEDs to flicker.
I would expect to see on a regular basis multicast and broadcast packets that make the activity lights flicker in unison. A bit daunting at the time, as your rack of switches flashed in unison like a christmas tree but as you said "the network seems to be running all right"
To ease your mind, you could look at a wireshark capture and see if you can coordinate looking at a activity LED flash and the wireshark capture to see the types of packets that might be worrying you.
I just did a wireshark capture on my PC that you can see below. I captured only 20 packets. It was interesting that just about every packet is a broadcast packet that will cause all port LEDs in my layer 2 switch network to flicker. But I know my layer 2 network is just fine.
Never hurts to be cautious, and monitor switch MIB variables and wireshark capture to see what is really happening on your network.
One positive thing to do if you are feeling like you would like better monitoring on your network, and you reside in the USA or Canada is to look at the new onplus appliance with included service we are offering for our partner community.
check out the URL below and the cost of appliance p/n ON100-K9
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5734/ps11792/datasheet_c78-680690.html
regards Dave -
Since last night we migrated another application to css, giving us bad headace now. Any ideas for our problem would be helpfull otherwise we have to fallback.
We have a vlan with all kinds of hardware and 4 css in it. 2 times 2 couples working together. 2 of type 11150 and 2 of type 11501 each for a different system (nothing to do with eachother). (In total we have 9 spread over other lans)
From sniffing this morning I found out:
A server in the network where the vip of css's are went dead. Our routers still had the ip-mac relation in its arp cache and a monitoring platform kept sending messages/pings to the dead server. Since our switches haven't allocated the mac address any more, the packet is sent to all possible interfaces of that vlan including the ones of our css. The first 2 old css are just ignoring the thing. The other 2 11503 are behaving dangerously. They accept the packets find out that they belong the way they came from and send them back. Causing to accumulate the number of packets over & over again till we have lan overflow, the full 100Mb interfaces of the css are used, application doesn't work anymore, users on the phone etc. Powering one off the backup, logically stops the storm.
This problem can happen again at random times, and didn't happen during 3 months of testing, but today I tried to power the backup up again, but the storms start over & over again. What did Murphy say again.
I powered the first 2 old one down last night, but the problem still persists.
The only thing I can come up with is to narrow the incoming access-list allowing only traffic between the 2 css & towards the vips on it. But I'm not sure if this will work, and I can't do that right now since I've got a couple of 100's of session on the device cause a throughput of continiuos 3 à 4 Mbps.
Any ideas what the nature of the behaviour of those 2 css is, the other 2 in the same segment don't act this way.
2 good css of type 11150 version 6.10 build 201
2 bad css of type 11501 version 6.20 build 3
Upgrade is not such an option sinc all other version higher which I tried have problems with http polling towards an asp page.
HansI have seen a bridge loop caused by a CSS. The configuration was to have a CSS connected to two 6500 switches for redundancy. The CSS does not use the same spanning-tree multicast address as the 6500 switches. This should not be a problem because the multicast traffic should pass through the CSS and be received by the other 6500 which would then detect and block the port connected to the CSS avoiding a L2 loop.
This seemed to work fine in the lab, but when it was put on a live network I would see what I believe is the following behavior: The CSS buffer was overwhelmed by the traffic on the subnet it was connected to. This would cause the spanning-tree traffic through the CSS to be dropped. This would lead to a major spanning-tree loop that would eventually take down the entire campus network.
If you are using two interfaces connected to the same vlan, this could be the case. If you check your root bridge on a switch it will be different from the one seen by the CSS. The CSS will see itself as the root.
The only reason I had two links in the same vlan was that I had two CSS in redundancy. One was a 11500 and the other a 11050. I wanted the 11500 to be used as the primary even if the primary switch failed. I eventually removed the second link and it ran fine after that. I would rather use the 11050 if the primary switch failed than to cause another L2 loop.
Hope this helps -
Actiontec producing Broadcast Storm?
About 5 days ago, around 1/28/11 I noticed my internet connection slow down to a crawl. After doing a wireshark capture I noticed taht the router was shooting out ARP requests, WAN MoCA renews for netmask and IP's, discovery protocols bouncing all over and other anomolies like the ones listed. Has anyone noticed their Routers lighting up like a christmas tree for no good reason????? I can't pin down why the router would all of a sudden want to do DNS, ARP and discoveries constantly. Any ideas??
Thanks!!
Mike Sz.....The router always does that with STB's on the network. While it looks like a lot of traffic, if you look more closely, you'll see it's not really a lot of traffic. The protocols are chatty and you see lots of packets, but in the grand scheme of things it's all local traffic on the network and not all that much data -- certainly not impacting on traffic to/from the internet.
If you don't agree, turn off and unplug all of the STB's in your house for a bit and watch how the traffic profile changes on the local network and how it most likely has no impact on internet traffic thruput.
Maybe you are looking for
-
Hi all, iam getting a problem regarding pricing. When i make a Sales doc. with reference to an invoice, everything is being copied from invoice to the sales doc.-customer, material and its no. , sales area, payment terms, incoterms, and material qty
-
I had to delete everything on my computer and install the operating system again , but I had to install Snow Leopard because it was the cd that came with the computer when I bought it. The problem is that I had already paid for the OS Lion and even h
-
Nokis asha 225 feed back problem
Hello there. I have just received a new mobile phone for work - Nokia 225 dual sim. A few days later I got this message - see in the attachment and I can't get rid of it! It asks me to "Rate your NOKIA 225". Unfortunately I have already rated it 5 ti
-
Merge cells in CO-PA report by report painter tool!
Hi all, I am using report painter to define reports in CO-PA. But I wonder how to merge cells in the header row in CO-PA report? For example: Column 1: Revenue/ value Column 2: Revenue / total quantity Column 3: Cost of Good sold/ value Column 4: COG
-
Change search results tile with information from just client table...
Hello all, I am quite new in MSA development area. Could you please answer one specific question? I would like to enchance search results tile. I want to add two additional columns, but with information from ONLYclient table. For exapmle table Zclien