I noticed once in one common network jumps in broadcast traffic, I was able to detect naturally quickly, since I had previously set up monitoring via graphs and triggers using Zabbix. I looked at the graphs of broadcast traffic from the ports of the main switch, from here it was clear where he started to go, and so we determined the chain to the client switch and port. In the Zabbix monitoring system, it is convenient to configure triggers that trigger when the limit of broadcast traffic is exceeded and report this on the screen, email to the administrator, etc.Continue reading “How to catch broadcast flood on D-Link switches”
It took somehow in one network to determine where the jumps of broadcast traffic are coming from, because of which the CPU usage was increasing on devices and there were interruptions with the Internet.
The network equipment was used from MikroTik.
Having connected to MikroTik with the following command, let’s look at the traffic statistics on ports, namely the broadcast traffic “Rx Broadcast” coming to the port, since this is the packet counter, then the figure should grow if the flood comes, if it does not change, then all is well:
interface ethernet print stats interval=1
Here is an example of viewing the statistics of a specific port (where ether2 is the name of the interface, it may be different depending on how it was called in the configuration):
interface ethernet print stats from ether2 interval=1
See the list of ports/interfaces with the command:
In this way, by the chain we will reach the final port from which there is a broadcast flood and, if necessary, turn it off by the command (where NUMBER is the number of the port in order in the table which can be viewed by the command above):
interface disable NUMBER
To enable the port:
interface enable NUMBER
Via WEB or Winbox, you can see the statistics by opening the Interfaces menu on the left and in the Interface tab, let’s look at each interface.
Example of resetting port statistics:
interface ethernet reset-counters ether2 interface ethernet reset-counters ether2,ether3,ether4,ether5
On CRS models MikroTik, you can enable broadcast traffic control, for example, 100 packets per second on an ether3 port (similarly for other ports):
interface ethernet switch ingress-port-policer add port=ether3 rate=100 meter-unit=packet packet-types=broadcast
In the future, you can watch the network for example through the system Zabbix, in which you can configure the display of broadcast packet schedules and if the packet counter starts to grow, the system will notify you.
In this article I will give an example of setting up broadcast and multicast control on the Alcatel OmniStack LS 6224 switch.
Connect to the switch and go into the configuration mode:
Select the ports on which you want to enable Storm Control:
interface range ethernet e1-24
Turn on the control of broadcast traffic and specify a limit of 70 kilobits per second:
port storm-control broadcast enable port storm-control broadcast rate 70
If you want to limit also multicast traffic, then execute the following command:
port storm-control include-multicast
The standard value is 3500, the possible range for ethernet ports is 70 – 100000, for gigabit ports 3500 – 1000000.
Now it remains to exit the configuration mode and save the configuration:
exit exit copy running-config startup-config
To see the data of the packet counters on the port, for example:
show interfaces counters ethernet g1
First of all, let’s look at the statistics of active traffic on ports:
show interface ethernet counter rate
Then we’ll look at the packet counters, especially pay attention to the BroadCast (pkts) column:
show interface ethernet counter packet
For a specific port, we will execute the command to view the statistics of the network interface several times:
show interface ethernet 1/25
And let’s pay attention to how the incoming and outgoing values of the broadcast packets change, if they do not change, then the broadcast packets do not go through this port, if the digit increases rapidly, then maybe there is a broadcast storm.
If necessary, we will enter the competing mode and set the limit of transmitted broadcast packets in kilobits (minimum value 1) for the required ports:
config Interface Ethernet1/1 storm-control broadcast 50 Interface Ethernet1/2 storm-control broadcast 50 Interface Ethernet1/3 storm-control broadcast 50 ...
Note that with a low broadcast bandwidth limit, DHCP broadcast requests from clients can also be blocked.