dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
15033
share rss forum feed


mediter1

@malinche.inaoep.mx

which storm control broadcats level to configure

Hi everyone

I want to control the broadcast packets on the switch catalyst 4948

i had to configured the interfaces with:

interface fastethernet 1/1
storm-control broadcast level 10
storm-control action shutdown


but i have two cuestions

how can i to estimate or calculate the best value on the level???
what represents the value of level??

very thanks



rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:5
Reviews:
·AT&T U-Verse
·ViaTalk

The number limits the total percentage of that traffic type on the interface. So, storm-control broadcast level 10 limits that interface to only transmit at most 10% of its interface bandwidth worth of broadcast packets. 10% is a good normal number. However if you are running any broadcast applications it could cause problems. It is also dangerous to set the port to automatically go into shutdown. Now as a bad guy, all I need to do is send a flood of broadcast traffic at that interface that hits the 10% threshold and I can shutdown the switchport and easily DoS the switch.
--
Ignorance is temporary...stupidity lasts forever!

»www.thewaystation.com/
»blog.thewaystation.com/



packetpusher
Premium
join:2005-03-22
Oakville, ON
reply to mediter1

We use 7% broadcast and 10% multicast, however we are very accommodating, and if we have customers who constantly go err-disable due to a normal traffic we raise the value slowly. On Rolande's point, we do the same thing you are using, action shutdown, but we have a NOC that monitors the shutdowns and reacts quickly. The real questions is how much downtime as the result of a false positive can you tolerate?
--
Luminaire
My Blog



mediter1

@malinche.inaoep.mx
reply to mediter1

Hi Rolande and Luminaire!

So Thanks for reply.

i am interesting on the number level of storm-control broadcast because i have one problem. I belive that i have storm broadcast of layer 2 OSI that it produced by an loop on the other switch (a 3com switch office connect) so this loop reduce the network performance (i cant to access at the router s or swirchtes).

Any other ideas for the solve the problem?? or storm-control broadcast level 10 is good idea? i preffer to enable manualy the port that reduce the network performance

Thanks



rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:5
Reviews:
·AT&T U-Verse
·ViaTalk

1 edit

Storm control is only a band aid or safety net if you are experiencing Spanning Tree loops in your network. You need to identify where the loop is being introduced into the bridging domain and eliminate it.

Proper L2 spanning tree design is a must. You should be using the spanning-tree mst feature on your switches if they all support RSTP. This provides for fast STP reconvergence as it is not timer based. You should have the priority set appropriately on the core switch in the bridging domain to force it to be the root bridge. You should have Root Guard and UDLD on all your root ports (the ports that connect to downstream switches) and Loop Guard and UDLD on all of the alternate or backup ports to other switches. (redundant connections) You should have BPDU filtering enabled on all other ports that should not be connected to any other switch or bridge type devices.

I recommend that you do some reading on proper L2 design and spanning tree deployment. This is a very large topic. The Cisco LAN Switching book is one of the largest in the Cisco Press library. I don't have any good tutorial links off hand or I'd share.
--
Ignorance is temporary...stupidity lasts forever!

»www.thewaystation.com/
»blog.thewaystation.com/


mediter

join:2006-03-02
mexico
reply to mediter1

Hi rolande

I havent spanning tree design. My problems is when something (one person) connect an loop on the switch. This loop reduce the network performance (i cant to access at the router s or switches).

do you have any idea for solve this problem???
or the solution is that only i need to identify where the loop is being introduced into the bridging domain and eliminate it. The problems with this is the time to identify.

thanks


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by mediter:

Hi rolande

I havent spanning tree design. My problems is when something (one person) connect an loop on the switch. This loop reduce the network performance (i cant to access at the router s or switches).

do you have any idea for solve this problem???
or the solution is that only i need to identify where the loop is being introduced into the bridging domain and eliminate it. The problems with this is the time to identify.

thanks
As rolande See Profile mentioned, BPDU tracing is your friend. Assuming the problem is SPT loop, then you need to find the offending BPDU.


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:5
Reviews:
·AT&T U-Verse
·ViaTalk
reply to mediter

If you can't access the switches they have no business being connected directly to your switches without a router in the middle. Otherwise you should just turn up BPDU filtering on the ports connecting to the switches you can't access so that it does not impact the switches you DO have access to. Additionally you would be very wise to make sure that of the switches that you are managing that you find or pick the switch that is primary or central to the bridge domain and make sure that it is forced to be the Root bridge. You do this by setting the spanning-tree root priority to as low a value as possible so that it overrides all other competing BPDUs being transmitted by other switches.
--
Ignorance is temporary...stupidity lasts forever!

»www.thewaystation.com/
»blog.thewaystation.com/


mediter

join:2006-03-02
mexico
reply to mediter1

i havent links redundant and the implementation with spanning tree. My problem is a loop created by one person that to connect one wire on two ports of the same switch.
when occurrs this (the loop) reduce the network performance. So a i dont know if storm-control configuration is the best option for solve this problem.

did you have the problem when the wire is conected on two ports making the LOOP??

Sorry. Maybe i dont undestand the response.



rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:5
Reviews:
·AT&T U-Verse
·ViaTalk

You need to enable BPDU Guard on all ports that can connect to desktops or host machines. If someone does this, they will cause the ports to go into shutdown/err-disable, instead of propagating the broadcast traffic into a storm. Storm control helps alleviate the impact when it does happen but will not prevent spanning-tree from reconverging which can cause a complete outage due to root and/or designated ports going into a blocking state.
--
Ignorance is temporary...stupidity lasts forever!

»www.thewaystation.com/
»blog.thewaystation.com/


mediter

join:2006-03-02
mexico
reply to mediter1

Ok

So i going to enable BPDU guard in the ports but, do you think that is good idea to enable storm control too while i havent spanning tree enabled??



rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:5
Reviews:
·AT&T U-Verse
·ViaTalk

You aren't even running spanning-tree? Then BPDU guard won't buy you anything. The only fix is to use broadcast storm-control at that point...not to mention yelling at all the stupid users that would plug 1 ethernet jack into another or plugging a hub into 2 ethernet jacks thinking they will double their bandwidth.

If you ran spanning-tree it would detect the loop created in the network and block that particular port creating the loop which would prevent the issue from occuring in the first place. The storm control will only limit the percentage of interface bandwidth that can be used for broadcast traffic. However, based on your previous descriptions of the configuration, I would not recommend just turning on spanning-tree in your environment to see what happens. You really need someone who understands how it works and how it can be implemented properly around your existing layer 2 architecture so it does what it should and avoids creating new problems for you to fight.
--
Ignorance is temporary...stupidity lasts forever!

»www.thewaystation.com/
»blog.thewaystation.com/


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by rolande:

You aren't even running spanning-tree? Then BPDU guard won't buy you anything.
I agree. The BPDU guard feature is designed to work under properly-configured spanning-tree networks.

said by rolande:

not to mention yelling at all the stupid users that would plug 1 ethernet jack into another or plugging a hub into 2 ethernet jacks thinking they will double their bandwidth.
This is another interesting topic to discuss, but not here on this thread. Opening up a new thread to discuss these kind of silly behaviors is probably in order

said by rolande:

If you ran spanning-tree it would detect the loop created in the network and block that particular port creating the loop which would prevent the issue from occurring in the first place. The storm control will only limit the percentage of interface bandwidth that can be used for broadcast traffic. However, based on your previous descriptions of the configuration, I would not recommend just turning on spanning-tree in your environment to see what happens. You really need someone who understands how it works and how it can be implemented properly around your existing layer 2 architecture so it does what it should and avoids creating new problems for you to fight.
I agree. You don't want to get blamed when something breaks since it might cost your job

mediter See Profile, you probably need to start from very beginning. Do some inventory such as the following. Find out which devices connected to all switches. Identify if all switches are even managed switches such as your Cisco switch. You then go to the next step with these info.