Tuesday, February 18, 2014

Weather the storm , with storm control for broadcast & multicast traffic

Cisco & Juniper both have been the leaders with  storm control and prevention. In this blog we will look at some techniques to  prevent storms for both broadcast & multicast.

1st what is a broadcast /multicast storm?

A storm is simply put a continuous transmittal of packets, that overwhelms  the LAN. So with these two packet  types ( broadcast | multicast ) , a layer2 switch floods these packet types within  the source vlan. So a single hosts or a group  of hosts, could easily make a LAN suffer  by causing high  latency or serious packet lost.

Stroms are  typical cause by any of the following;
  • 1: bad network configurations or designs
  • 2: bad nic
  • 3: bad applications
  • 4: infected hosts ( virus / worms  )

Storms in all senses; " are bad".

Since a Layer2 switch forwards are broadcast packets to ALL ports, it's easy for one  infected or mis behavin host(s) to create havoc across the LAN.

Multicast a packets are just as bad & igmp snooping does NOT filter on packets to the common well-known mcast groups such as  all-host or all-routers


So how do we prevent these storms on a switchport?

With in our layer2 switch we have the means to reduce or drop packets that exceeds our set thresholds.

e.g ( a basic cisco 2960 switchport  configuration )

interface FastEthernet0/1
 switchport mode access
 logging event bundle-status
 load-interval 30
 storm-control broadcast level 1.50
 storm-control multicast level 5.00

Here we set the  thresholds for broadcast and multicast to be 1.5 and 5 respectively.

To test the storm control, we can use a unix ping floods, with  the destination being the broadcast address for the LAN.

e.g ( sample of a broadcast flood and mcast flood MACOSX )

ping -f
ping -s 1470 -i .01

When the thresholds has been exceed, you will received a log  message along with culprit port and by issuance of the show storm <interface> cli command you can  review thew current  status and levels.

e.g  ( typical log messages and show storm outputs )

To quickly contain  problems such as storms, you can selection the action interface for either shutdown or traps. This allows you to quickly find culprits that violate  your thresholds & take the required remediation actions.

Now for your settings,  and what's right for your LAN; " Nobody can determine this, but you".

But my general rules has always been to not allow more than 2% of the interface speed to be broadcast traffic  or multicasts traffic.


 100mbps =  2mbps
 1000mbps = 20mbps

This is a good initial setting, and can be use with little risk of hampering legit traffic. As you management your lan and hosts, you can make adjustments to fix your setup. So to apply these settings  for a FE interface you could do something along this nature

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
       /     \

No comments:

Post a Comment