How to catch broadcast flood on D-Link switches

I noticed once in one common network jumps in broadcast traffic, I was able to detect naturally quickly, since I had previously set up monitoring via graphs and triggers using Zabbix. I looked at the graphs of broadcast traffic from the ports of the main switch, from here it was clear where he started to go, and so we determined the chain to the client switch and port. In the Zabbix monitoring system, it is convenient to configure triggers that trigger when the limit of broadcast traffic is exceeded and report this on the screen, email to the administrator, etc.

Continue reading “How to catch broadcast flood on D-Link switches”

How to catch broadcast flooding on MikroTik devices

It took somehow in one network to determine where the jumps of broadcast traffic are coming from, because of which the CPU usage was increasing on devices and there were interruptions with the Internet.
The network equipment was used from MikroTik.

Having connected to MikroTik with the following command, let’s look at the traffic statistics on ports, namely the broadcast traffic “Rx Broadcast” coming to the port, since this is the packet counter, then the figure should grow if the flood comes, if it does not change, then all is well:

interface ethernet print stats interval=1

Here is an example of viewing the statistics of a specific port (where ether2 is the name of the interface, it may be different depending on how it was called in the configuration):

interface ethernet print stats from ether2 interval=1

See the list of ports/interfaces with the command:

interface print

In this way, by the chain we will reach the final port from which there is a broadcast flood and, if necessary, turn it off by the command (where NUMBER is the number of the port in order in the table which can be viewed by the command above):

interface disable NUMBER

To enable the port:

interface enable NUMBER

Via WEB or Winbox, you can see the statistics by opening the Interfaces menu on the left and in the Interface tab, let’s look at each interface.

Example of resetting port statistics:

interface ethernet reset-counters ether2
interface ethernet reset-counters ether2,ether3,ether4,ether5

On CRS models MikroTik, you can enable broadcast traffic control, for example, 100 packets per second on an ether3 port (similarly for other ports):

interface ethernet switch ingress-port-policer add port=ether3 rate=100 meter-unit=packet packet-types=broadcast

In the future, you can watch the network for example through the system Zabbix, in which you can configure the display of broadcast packet schedules and if the packet counter starts to grow, the system will notify you.

Configuring Storm Control on Alcatel OmniStack LS 6224

In this article I will give an example of setting up broadcast and multicast control on the Alcatel OmniStack LS 6224 switch.

Connect to the switch and go into the configuration mode:


Select the ports on which you want to enable Storm Control:

interface range ethernet e1-24

Turn on the control of broadcast traffic and specify a limit of 70 kilobits per second:

port storm-control broadcast enable
port storm-control broadcast rate 70

If you want to limit also multicast traffic, then execute the following command:

port storm-control include-multicast

The standard value is 3500, the possible range for ethernet ports is 70 – 100000, for gigabit ports 3500 – 1000000.

Now it remains to exit the configuration mode and save the configuration:

copy running-config startup-config

To see the data of the packet counters on the port, for example:

show interfaces counters ethernet g1

How to catch broadcast storms on FoxGate switches

First of all, let’s look at the statistics of active traffic on ports:

show interface ethernet counter rate

Then we’ll look at the packet counters, especially pay attention to the BroadCast (pkts) column:

show interface ethernet counter packet

For a specific port, we will execute the command to view the statistics of the network interface several times:

show interface ethernet 1/25

And let’s pay attention to how the incoming and outgoing values of the broadcast packets change, if they do not change, then the broadcast packets do not go through this port, if the digit increases rapidly, then maybe there is a broadcast storm.

If necessary, we will enter the competing mode and set the limit of transmitted broadcast packets in kilobits (minimum value 1) for the required ports:

Interface Ethernet1/1
storm-control broadcast 50
Interface Ethernet1/2
storm-control broadcast 50
Interface Ethernet1/3
storm-control broadcast 50

Note that with a low broadcast bandwidth limit, DHCP broadcast requests from clients can also be blocked.

See also:
Block DHCP servers on FoxGate switches
Configuring the Foxgate S6224-S2 Switch