Broadcast storms

Similar Messages

• Broadcast storms applicable on layer 3 switches?

  Dear all,
  Me and my collegue were wondering about the following on a cisco 3750 x layer 3 switch.
  Lets assume we configure the 3750 without vlans so we create several networks on the 3750. For example fa 0/1 has as network 10.10.10.0/24 with 10.10.10.1 as it being the default gateway. Fa 0/2 has as network 10.10.11.0/24 with 10.10.11.1 as it being the default gateway.
  The question is if a broadcast storm rages on network 10.10.10.0/24, would 10.10.10.0/24 only be affected by the broadcast storm or will network 10.10.11.0/24 also be affected due the broadcast?
  If we assume the same settings but we would utilize vlans then anetwork is definitely not being affected by a broadcast storm happening on an other network right?
  Thanks in advance for your help.
  kind regards

  Hi,
  When you configure an L3 port on your 3750
  int f0/1
  no switchport
  ip add 10.10.10.1 255.255.255.0
  no shut
  int f0/2
  no switchport
  ip add 10.10.11.1 255.255.255.0
  no shut
  The key is NO SWITCHPORT
  This takes the port out of L2 configuration therefore
  it does not belong to any VLAN and does not operate like an L2 port
  with regards to broadcast etc.
  Have a look at this link from a 3750 config guide
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swint.html#wpmkr2208885
  Hope this helps
  Regards
  Alex

• Intel i217-LM NIC Causes Broadcast storm and High CPU

  Wanted to post this here to help others that may be experiencing issues with broadcasts.   
  If you have PC's with the Intel i217-LM NIC if you don't have the latest driver from Intel the NIC will cause an IPV6 broadcast storm when the computer goes into sleep/hibernate.  You have to have at least two PC's on your network in sleep/hibernate mode.  It causes the same affect as a network loop.  In my network it would cause the MDF CPU to go to 100% and basically shut the network down.  
  We have Lenovo M93 desktops that have this NIC and I know that there are other PC's that have his same NIC and experience the same problem.
  When the broadcast storm is happening you can issue the command 
  show interfaces | include is up|line|broadcast on your MDF switch to find which interfaces have high broadcasts.  You may have to trace it through your uplinks to your IDF's.  You can then shut those interfaces to stop the broadcast storm.
  Your long term solution will be to get the latest NIC driver from Intel and update your PC's.

  It's connected IPV4 but because of the faulty NIC driver it starts broadcasting IPV6 when in sleep/hibernate mode.
  https://supportforums.cisco.com/discussion/12291431/ipv6-broadcast-storm-caused-hp-eliteone-800-intel-i217-lm-nic-how-find-hosts
  https://forums.lenovo.com/t5/A-M-and-Edge-Series-ThinkCentre/M83-and-M93p-ipv6-storms-intel-i217-LM-NIC/td-p/1600686

• I get a network broadcast storm with Yosemite

  I had poor internet speed and loss of packets.
  BT and AAISP could not fault the external line.
  It emerged the problem happens only when I use both  wifi and wired ethernet (or indeed wifi only) on my Yosemite Macbook Pro.
  AAISP said it was likely a 'broadcast storm'.
  This problem has not happened, or was not significant,  with previous OS X.
  I am using WPA/WPA2 Personal to a Technicolor TG582N router.

  Disable all Firewalls & Anti-Virus software...try again.

• FWSM with contexts - Broadcast storm impact CPU

  Hi,
  we have a FWSM (4.1(5)) configured with several contexts.
  Last day we had a broadcast storm in one VLAN connected to one FWSM context and all contexts were impacted with loss of service.
  We could check that CPU in impacted context went to 50 - 60 % but in fact service allocated in other contexts were impacted.
  We have Resource Class implemented, but there is nothing about CPU usage (only connections, xlates, .... ).
  Any idea about how to protect contexts against a broadcast storm or high CPU usage in one context ?
  Thanks a lot
  Felipe

  Hi Felipe,
  Unfortunately, the FWSM's CPU is not virtualized across contexts like the conn tables, xlate tables, etc are. High CPU caused by traffic in one context will indeed affect traffic on other contexts on the same physical firewall, which is a limitation of the architecture.
  -Mike

• VPLS level Broadcast storm

  If we have broadcast storm in the VPLS
  will it be CPU processed,I mean to say like in a normal L2 switch scenario
  whenever there is a brodcast storm the cpu of L2 switch will go high but in the
  case of VPLS lets say in 7600 will the cpu also spike.

  The SUP of the 7600 has two CPU. Basically one for the L3 activities (RP CPU) and one for L2 activities (SP CPU).
  Without L3 interface, broadcast are not punted and flooded in hardware. There are special cases where some specific broadcast packets may be punted to the SP CPU (we are only L2 here) like if it's an IGMP packets and IGMP snooping is enabled.
  So a storm of such packets could overload the CPU.
  HTH
  Laurent.

• Loop - broadcast storm in network

  Good day to you all, i'm with some problem and i can't seem to find the right solution.
  at our company we have arround 300 2960 switches, also in some areas of the factory they are using 3com hubs or other hub devices.
  i am trying to take them all out, but the factory is to big and there are more then 100 on places i dont know.
  My problem is that many times we have a broadcast storm or loop in the network.
  users just put in 2 cables in a hub, or the cisco phone both cables in the hub.
  the hub is connected to a 2960 switch.
  My port configuration is:
  interface FastEthernet0/3
  switchport access vlan 27
  switchport mode access
  switchport voice vlan 244
  spanning-tree portfast
  spanning-tree bpduguard enable
  end
  the STP settings global are:
  spanning-tree mode pvst
  spanning-tree loopguard default
  spanning-tree portfast bpduguard default
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  in my opinion the port that have the 3com connected should go in to err-disable when a loop is created because it receive BPDU packets.
  unfortuinatly this does not happens and my whole network goes down.
  the logging in the switch only indentify that there is mac flapping.
  Mar  1 07:28:02: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:28:38: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:28:42: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:29:03: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:29:06: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Mar  1 07:29:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
  Mar  1 07:29:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
  Does someone have an idea to prefent this from happening ??
  Thanks a lot!

  Hello
  My question is should i only set on the interface "storm-control broadcast level ??"
  or do i also need to set multicast and unicast ? - All depends on what traffic you have traversing your links you need to be sure you dont set the levels to low has to prohibit legitimate IGP/broadcast/mulitcast/unicast traffic this includes any bespoke application traffic that utilzies any of the above
  and why is the 3 to 5 %, so it will drop the storm when reach 95 % on interface ? - 5% of an 100mb link would be reached at 5 mb utilization of whatever traffic you define, the higher rate the less effective stom controll is.
  To protect against layer 1 devices such are hubs and say access ports with attached switches(managed/unmanaged) you can also apply port-security running along side your current stp bpduguard.
  switchport nonegotiate ( disables DTP)
  switchport port-security ( enables port security)
  switchport port-security aging type inactivity ( ageing of mac- address)
  switchport port-security aging time xx  ( mins the mac address will age out)
  Switchport port-security violation restrict| shutdown ( violation action of port-security)
  Switchport port-security max xx ( number of mac- address allowed on port)
  res
  Paul
  Please don't forget to rate any posts that have been helpful.
  Thanks.

• Broadcast Storm Control

  Hi everybody,
  I’m suspected about broadcast storm control feature on switch. Could anyone please advice me?
  1. When the broadcast storm control is triggered, can normal data packets (not broadcast packets) pass the switch?
  2. If the network looping is occurred at unmanaged switch that doesn’t support spanning tree protocol and it connects to the managed switch that broadcast storm control is turned on, does it help this issue?
  Managed switch
  |
  |
  Unmanaged switch
  ||
  \/<--- network looping
  Thanks for advance,
  Nitass

  1. Unicast packets and multicast packets are not affected when u enable broadcast storm control. Multicast packets will be affected only if you enable multicast storm control on the switchport.
  2. I have no experience in a setup such as this but the behavior of the storm-control broadcast level command suggests that the switch port will drop all broadcasts headed through the port (in both directions) for a specified period of time.
  This however, still does not stop the source of the broadcast (i.e. the multiple links running to the un managed switch) so I would presume that the broadcasts might die down for a small period of time but they will resurface as the unmanaged switch would continue generating broadcast packets.
  Thus the port on the managed switch would come back to normal state, only to go back into broadcast storm control state and stop all broadcasts all over again.
  HTH
  Please rate posts that help.
  Regards
  Arvind

• Broadcast Storm Control - Mac-address flooding

  Hi Friends,
  We would like to configure broadcast storm control in our LAN to detect/avoid mac-address flooding. What is the best way and Can I know how to decide the raising threshold & falling threshold values ?.. Please suggest.
  Regards,
  S.Tamilvanan

  Hello,
  the best way is to monitor your network fir 5-6 days in order to find out the normal pattern of broadcast traffic. Then based on results form this monitoring process you can set the thresholds of broadcast traffic.

• Broadcast Storm

  We host an annual LAN gaming event with about 3500 BYOC spots.  Last year we suffered a massive broadcast storm.  So this year we made each row its own subnet to prevent broadcasts from affecting the rest of the LAN.  This had an unintended side effect.  Many people hosting games on their systems were unable to announce their presence to the whole LAN, just their subnet.  It angered quite a few gamers.  What are some options to prevent broadcasts storms but still allow genuine game broadcasts?

  BPDU guard is often used to prevent end systems from introducing switches or hubs that could potenatilly casue a loop (and broadcast storm). Reference.

• 3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

  Hi forum,
  we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
  my questions:
  1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
  2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
  3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
  4) is there a way on the design side to effectly counter this problem?
  Kind regards,
  paul

  It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
  As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
  P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.

• ARD broadcast storms?

  Recently our entire 1000 node network was crippled by the repeated use of the ARD to push software to multiple clients (one at a time was fine) In reading online it appears to me that ARD is designed to deliver UDP datagrams to the endstations by means on sending them as Broadcast packets meaning all ports on all switches are immediately flooded by the traffic that is really only important to the 2 or more clients being pushed to. If this app is designed this way, what on earth is Apple thinking? Our host Mac is connected to a Gig port and the rate at which broadcasts were being sent was off the scale until the broadcast storm throttles on the switches kicked in but by that time, and even at the throttled rate, the harm was widespread. Can someone explain to me why any app would use the process of a broadcast to deliver content? Is something misconfigured?
  Thank you

  I think you can reduce the impact of the storm on a switch by setting a maximum number on UDP broadcast packets. Unfortunately, with UDP packets there is no error correction, so packets that arrive after the maximum has been met are dropped, which will cause your Remote Desktop session to fail.
  Another point to consider is that it does not matter what version your servers or clients are running as far as OS X. You can run the Remote Desktop Application from a workstation or server, as long as it meets the OS X requirements. The broadcast packets are spawned from the application, not the underlying OS.
  So far, no word from Apple on this. We have been limping along, having to manually run our updates one computer at a time. We support about 100 Macs at our company, and have updates for various applications about once a month.
  Maybe Santa is just late bringing me what I wished for?

• Will this cause a broadcast storm/loop?

  I have 3 2960g switches that each have about 40 devices (pc's, printers, etc..) attached to them.  Each of these 2960 switches has one port connected to a port on a  "core" switch, which is a 3950g.  The 3950 has 3 switches and all of our servers (12) conected to it's ports.  The network seems to be running alright, however most, if not all, of the port lights on ALL switches blink wildly(at least I consider it "wildly").  Am I doing this wrong?  Is there a better way to connect all these switches?
  Also, this configuration is for our first floor.  The second floor has the exact same configuration, and the two 3950's (one upstairs, one downstairs) arec connected via fiber.
  Thanks for any help.

  Hi Scott,
  I think I like yours comments and  leolaohoo reaction .
  We don't know your Layer 3 setup, but broadcasts will stay in a broadcast domain. A broadcast will cause activity LEDs to flicker. 
  I would expect to see on a regular basis multicast and broadcast  packets that make the activity lights flicker in unison.  A bit daunting at the time, as your rack of switches flashed in unison like a christmas tree but as you said "the network seems to be running all right"
  To ease your mind, you could look at a wireshark capture  and see if you can coordinate looking at a activity LED flash  and the wireshark capture to see the types of packets that might be worrying you.
  I just did a wireshark capture  on my PC that you can see below.  I captured only  20 packets.  It was interesting that  just about every packet is a broadcast packet that will cause all port LEDs  in my layer 2 switch network to flicker.  But I know my layer 2 network is just fine.
  Never hurts to be cautious, and monitor switch MIB variables and wireshark capture to see what is really happening on your network.
  One positive thing to do if you are feeling like you would like better monitoring on your network,  and you reside in the USA or Canada  is to look at the new onplus appliance with included service   we are offering  for our partner community.
  check out the URL below and  the cost of appliance p/n  ON100-K9
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5734/ps11792/datasheet_c78-680690.html
  regards Dave

• Broadcast storm caused by css

  Since last night we migrated another application to css, giving us bad headace now. Any ideas for our problem would be helpfull otherwise we have to fallback.
  We have a vlan with all kinds of hardware and 4 css in it. 2 times 2 couples working together. 2 of type 11150 and 2 of type 11501 each for a different system (nothing to do with eachother). (In total we have 9 spread over other lans)
  From sniffing this morning I found out:
  A server in the network where the vip of css's are went dead. Our routers still had the ip-mac relation in its arp cache and a monitoring platform kept sending messages/pings to the dead server. Since our switches haven't allocated the mac address any more, the packet is sent to all possible interfaces of that vlan including the ones of our css. The first 2 old css are just ignoring the thing. The other 2 11503 are behaving dangerously. They accept the packets find out that they belong the way they came from and send them back. Causing to accumulate the number of packets over & over again till we have lan overflow, the full 100Mb interfaces of the css are used, application doesn't work anymore, users on the phone etc. Powering one off the backup, logically stops the storm.
  This problem can happen again at random times, and didn't happen during 3 months of testing, but today I tried to power the backup up again, but the storms start over & over again. What did Murphy say again.
  I powered the first 2 old one down last night, but the problem still persists.
  The only thing I can come up with is to narrow the incoming access-list allowing only traffic between the 2 css & towards the vips on it. But I'm not sure if this will work, and I can't do that right now since I've got a couple of 100's of session on the device cause a throughput of continiuos 3 à 4 Mbps.
  Any ideas what the nature of the behaviour of those 2 css is, the other 2 in the same segment don't act this way.
  2 good css of type 11150 version 6.10 build 201
  2 bad css of type 11501 version 6.20 build 3
  Upgrade is not such an option sinc all other version higher which I tried have problems with http polling towards an asp page.
  Hans

  I have seen a bridge loop caused by a CSS. The configuration was to have a CSS connected to two 6500 switches for redundancy. The CSS does not use the same spanning-tree multicast address as the 6500 switches. This should not be a problem because the multicast traffic should pass through the CSS and be received by the other 6500 which would then detect and block the port connected to the CSS avoiding a L2 loop.
  This seemed to work fine in the lab, but when it was put on a live network I would see what I believe is the following behavior: The CSS buffer was overwhelmed by the traffic on the subnet it was connected to. This would cause the spanning-tree traffic through the CSS to be dropped. This would lead to a major spanning-tree loop that would eventually take down the entire campus network.
  If you are using two interfaces connected to the same vlan, this could be the case. If you check your root bridge on a switch it will be different from the one seen by the CSS. The CSS will see itself as the root.
  The only reason I had two links in the same vlan was that I had two CSS in redundancy. One was a 11500 and the other a 11050. I wanted the 11500 to be used as the primary even if the primary switch failed. I eventually removed the second link and it ran fine after that. I would rather use the 11050 if the primary switch failed than to cause another L2 loop.
  Hope this helps

• Actiontec producing Broadcast Storm?

  About 5 days ago, around 1/28/11 I noticed my internet connection slow down to a crawl.  After doing a wireshark capture I noticed taht the router was shooting out ARP requests, WAN MoCA renews for netmask and IP's, discovery protocols bouncing all over and other anomolies like the ones listed.  Has anyone noticed their Routers lighting up like a christmas tree for no good reason?????  I can't pin down why the router would all of a sudden want to do DNS, ARP and discoveries constantly.  Any ideas??
  Thanks!!
  Mike Sz.....

  The router always does that with STB's on the network.   While it looks like a lot of traffic, if you look more closely, you'll see it's not really a lot of traffic.   The protocols are chatty and you see lots of packets, but in the grand scheme of things it's all local traffic on the network and not all that much data -- certainly not impacting on traffic to/from the internet.
  If you don't agree, turn off and unplug all of the STB's in your house for a bit and watch how the traffic profile changes on the local network and how it most likely has no impact on internet traffic thruput.