Main Nav

Hello,
I am curious if others are using port-based storm control.  We have not, and were looking at it, yet want to be cautious since we see that the port will drop all traffic once the threshold is reached.  Our concern is that we will end up creating more problems than we solve, especially since it has been a good number of years since we have actually experienced a broadcast storm (thankfully.)  Since the time monitored is one second, it seems possible for a host to briefly transmit a good number of broadcasts and shut the port down.  Sharing any experience (good or bad) with implementing storm control will be greatly appreciated.

A quote that I heard recently on a podcast seems to apply here: "The complexity required for increased robustness tends to act against robustness" :-)

best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from fkass@mtholyoke.edu

I currently us Cisco edge switches.I have broadcast control set to log at 1% of gig links and 10% of 100mbit links, or basically 10mbit of broadcast.  Then I have a script on my syslog server which emails me.  I set the level with the idea that if a port is putting out 10mbit of broadcast that is very bad but probably not enough to kill my network (just hobble it).  When I get notified I look at things more closely.  I find it works well as an early warning system and yet another check.  They don't get triggered very often but when they do I'm glad they are there.

-Fred

We also use Cisco edge switches. Would you mind sharing the port config? When you say log, do you mean you use the "trap" command on the interface? Or does it send syslog by default? I had the feeling the "trap" command would only send an SNMP trap and not a syslog,

 
On 10/1/2012 3:01 PM, Fred Kass wrote:
I currently us Cisco edge switches.I have broadcast control set to log at 1% of gig links and 10% of 100mbit links, or basically 10mbit of broadcast.  Then I have a script on my syslog server which emails me.  I set the level with the idea that if a port is putting out 10mbit of broadcast that is very bad but probably not enough to kill my network (just hobble it).  When I get notified I look at things more closely.  I find it works well as an early warning system and yet another check.  They don't get triggered very often but when they do I'm glad they are there.

-Fred

On 10/1/2012 3:05 PM, Vlade Ristevski wrote: > I had the feeling the "trap" command would only send an SNMP trap and > not a syslog Even if that's accurate (I don't know off hand) the traps can still be collected and parsed in exactly the same way. I parse traps from cisco switches just as Fred does. -Rick -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from fkass@mtholyoke.edu

It sends it to the syslog server by default, I don't have a snmp trap set for this (I have some set from Bradford).

My cisco config looks something like this:

interface FastEthernet0/2
 switchport access vlan 728
 switchport mode access
 ip access-group 100 in
 storm-control broadcast level 10.00 5.00
 storm-control multicast level 5.00 3.00
 storm-control action trap
 spanning-tree portfast
 ip dhcp snooping limit rate 200
!


Thanks a lot, I appreciate it. In our current setup we have a way more flexibility receiving and acting on syslog messages than SNMP traps. I'd love to be able to automatically put them in a quarantine VLAN when they reach that threshold.

On 10/1/2012 3:12 PM, Fred Kass wrote:
It sends it to the syslog server by default, I don't have a snmp trap set for this (I have some set from Bradford).

My cisco config looks something like this:

interface FastEthernet0/2
 switchport access vlan 728
 switchport mode access
 ip access-group 100 in
 storm-control broadcast level 10.00 5.00
 storm-control multicast level 5.00 3.00
 storm-control action trap
 spanning-tree portfast
 ip dhcp snooping limit rate 200
!


Message from ferps@sva.edu

We use an arp inspection rate limit command on our switches.  If a port exceeds that threshold with gratuitous arps, the port will go into err-disable.  

To avoid causing more trouble than it's worth, we have also enabled auto-recovery after a 5-minute interval.

Combined, this ensure than my network won't be taken down, while minimizing inconvenience to the user if it was a one-time glitch.

Continuous violations will generate a trouble-call for "my computer says it's disconnected" and we go from there.



________________________
Please excuse any typographical errors as this message was sent from my mobile device

Fishel Erps
C: 347-539-6380


On Oct 1, 2012, at 15:12, Fred Kass <fkass@MTHOLYOKE.EDU> wrote:

It sends it to the syslog server by default, I don't have a snmp trap set for this (I have some set from Bradford).

My cisco config looks something like this:

interface FastEthernet0/2
 switchport access vlan 728
 switchport mode access
 ip access-group 100 in
 storm-control broadcast level 10.00 5.00
 storm-control multicast level 5.00 3.00
 storm-control action trap
 spanning-tree portfast
 ip dhcp snooping limit rate 200
!


Recommend