Cisco & Juniper both have been the leaders with storm control and prevention. In this blog we will look at some techniques to prevent storms for both broadcast & multicast.
1st what is a broadcast /multicast storm?
A storm is simply put a continuous transmittal of packets, that overwhelms the LAN. So with these two packet types ( broadcast | multicast ) , a layer2 switch floods these packet types within the source vlan. So a single hosts or a group of hosts, could easily make a LAN suffer by causing high latency or serious packet lost.
Stroms are typical cause by any of the following;
- 1: bad network configurations or designs
- 2: bad nic
- 3: bad applications
- 4: infected hosts ( virus / worms )
Storms in all senses; " are bad".
Since a Layer2 switch forwards are broadcast packets to ALL ports, it's easy for one infected or mis behavin host(s) to create havoc across the LAN.
Multicast a packets are just as bad & igmp snooping does NOT filter on packets to the common well-known mcast groups such as all-host or all-routers
e.g
So how do we prevent these storms on a switchport?
With in our layer2 switch we have the means to reduce or drop packets that exceeds our set thresholds.
e.g ( a basic cisco 2960 switchport configuration )
interface FastEthernet0/1
switchport mode access
logging event bundle-status
load-interval 30
storm-control broadcast level 1.50
storm-control multicast level 5.00
end
Here we set the thresholds for broadcast and multicast to be 1.5 and 5 respectively.
To test the storm control, we can use a unix ping floods, with the destination being the broadcast address for the LAN.
e.g ( sample of a broadcast flood and mcast flood MACOSX )
ping -f 10.99.2.255
ping -s 1470 -i .01 224.0.0.1
When the thresholds has been exceed, you will received a log message along with culprit port and by issuance of the show storm <interface> cli command you can review thew current status and levels.
e.g ( typical log messages and show storm outputs )
To quickly contain problems such as storms, you can selection the action interface for either shutdown or traps. This allows you to quickly find culprits that violate your thresholds & take the required remediation actions.
Now for your settings, and what's right for your LAN; " Nobody can determine this, but you".
But my general rules has always been to not allow more than 2% of the interface speed to be broadcast traffic or multicasts traffic.
(eg)
100mbps = 2mbps
1000mbps = 20mbps
This is a good initial setting, and can be use with little risk of hampering legit traffic. As you management your lan and hosts, you can make adjustments to fix your setup. So to apply these settings for a FE interface you could do something along this nature
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
No comments:
Post a Comment