I. Causes
A broadcast storm means that too many broadcast packets consume a large amount of network bandwidth and normal data packets cannot be transmitted over the network. Generally, a broadcast packet causes multiple responses, each response results in multiple responses. Just like a snowball, all the bandwidth of the network is exhausted. This phenomenon is usually caused by network loops, faulty NICs, viruses, etc.
Ii. Prevention (take Cisco Catalyst Switch as an example)
1. First, use the network management to analyze the baseline of your network, so that you can determine the proportion of broadcast packets in normal conditions in your network.
2. Currently, most vswitches support the broadcast storm suppression feature. After this feature is configured, you can control the broadcast packages on each port to maintain a specific proportion, in this way, the bandwidth can be reserved for required applications.
Configuration: (take Cisco Catalyst Switch as an example)
Int xx
Storm-control broadcast level 20.00 Switch # sh storm Interface filter state level Current
------------------------------------
Fa1/0/1 Forwarding 20.00% 0.00%
3. for network loop problems that cannot be ruled out by default STP configuration, use the bpduguard feature of STP to prevent broadcast storms. This loop is as follows:
Switch ------ Hub (Porta --- portb)
The switch enables STP, and the hub is intentionally or unintentionally connected with a network cable, resulting in a loop. The switch port does not receive the BPDU of other switches or other ports of the switch, does not trigger the STP decision-making process of the port, it is impossible to block the port, this will cause a broadcast storm. We can use the bpduguard feature of Cisco STP to prevent this.
Int xxx
Spanning-tree bpduguard enable
* ** It is worth noting that bpduguard can be configured globally or on the basis of each port. If it is configured globally, it only takes effect for the port with portfast configured. If it is configured under the Port, portfast does not need to be configured. Iii. troubleshooting (taking Cisco Catalyst Switch as an example)
If a network storm has already occurred in the network (which is usually caused by packet loss, slow response, or intermittent disconnection), you can use the following methods to troubleshoot the problem:
1. First, check whether it is a network exception caused by a network storm or other abnormal traffic on the core switch.
Switch> Sh proc CPU | E 0.00
CPU utilization for five seconds: 19%/0%; one minute: 19%; five minutes: 19%
PID Runtime (MS) invoked usecs 5sec 1 min 5 min tty Process
15 20170516 76615501 263 0.31% 0.13% 0.12% 0 ARP Input
26 7383266801839439482 401 5.03% 4.70% 5.08% 0 cat4k MGMT hipri
27 8870781921122570949 790 5.67% 7.50% 6.81% 0 cat4k MGMT lopri
43 730060152 341404109 2138 6.15% 5.29% 0 Spanning Tree
50 59141788 401057972 147 0.47% 0.37% 0 IP Input
56 2832760 3795155 746 0.07% 0.03% 0.01% 0 adj Manager
58 4525900 28130423 160 0.31% 0.25% 0.18% 0 CEF Process
96 20789148 344043382 60 0.23% 0.09% 0 standby (HSRP)
If the CPU usage of the switch is high and most of the resources are occupied by the "ip input" process, you can basically determine that there is large traffic of data in the network.
2. Find that the abnormal traffic comes from the port of the switch:
Switch # sh int | I protocol | rate | broadcasts
Fastethernet1/0/41 is up, line protocol is up (connected)
Queueing strategy: FIFO
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 3 packets/sec
Received 241676 broadcasts (0 Multicast)
If the input rate of a port is very high and many broadcast packets are received, the source can be basically found. If the port is connected to a manageable switch, execute this process again until a port connected to the PC or hub is found.
3. Shutdown this port
Int xx
Shutdown
4. Find the root cause of abnormal traffic
If it is a hub loop, the ring will be removed; if it is a virus, anti-virus will be performed; if it is a NIC exception, the NIC will be replaced. This section is not detailed.
5. Check whether the switch's CEF function is enabled. If not, enable it to accelerate traffic forwarding.
Switch> SH ip CEF
Configure CEF:
Input in global Mode
IP CEF |
