From: Charles Church (cchurch@wamnet.com)
Date: Fri Aug 29 2003 - 10:08:37 GMT-3
Do the HP switches have port counters? If so, you should be able to track
down the source. Check all ports and trunks that are in the same VLAN the
router is. Once you find another port with lots of broadcasts, verify the
device attached isn't the cause if it's a host, or it's not a mis-configured
router. A device dumping 10,000 broadcasts/sec onto a VLAN should be pretty
easy to find. Could it be ARPs caused by the recent worms?
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
-----Original Message-----
From: SHARMA,MOHIT (HP-Germany,ex1) [mailto:mohit.sharma@hp.com]
Sent: Friday, August 29, 2003 8:50 AM
To: 'Charles Church'; ccielab@groupstudy.com
Subject: RE: Broadcast storm- Please HELP
Hi Charles and All,
Thanx for your valuable inputs.
Since it is one of our customers, they r using HP Swicthes :)
The port config is here-
interface FastEthernet0/1/0
description Transit LAN
ip address x.x.x.x 255.255.255.192
ip access-group 191 in
ip access-group 191 out
no ip redirects
ip route-cache flow
ip ospf cost 12
full-duplex
no cdp enable
standby 10 ip x.x.x.x
standby 10 timers 5 16
standby 10 priority 200
standby 10 preempt
standby 10 track GigabitEthernet9/0/0
End
With a sh int command -
----Received 248704130 broadcasts, 0 runts, 0 giants, 1 throttles
----Received 248735495 broadcasts, 0 runts, 0 giants, 1 throttles
And within a second you can see the number of broadcasts received.
Unfortunately I am also not able to use something like sniffer, because of
the customer security requirements.
I was looking for something that could help me identify, something on the
router itself.
Thanx,
Mohit.
-----Original Message-----
From: Charles Church [mailto:cchurch@wamnet.com]
Sent: Friday, August 29, 2003 2:37 PM
To: SHARMA,MOHIT (HP-Germany,ex1); ccielab@groupstudy.com
Subject: RE: Broadcast storm- Please HELP
If you've got a Cisco switch going to the router, I believe you can limit
broadcasts to a number per second or a percentage of bandwidth. Are they IP
broadcasts or something else? Once you've got the router somewhat
protected, dig into your layer 2 device statistics and find the source(s).
Rate limiting might be able to help also until you track down the source. Is
it possible it's a mis-configured IP helper statement or a spanning
tree/bridging problem somewhere. Checking device logs might be helpful as
well. Good luck.
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
SHARMA,MOHIT (HP-Germany,ex1)
Sent: Friday, August 29, 2003 5:00 AM
To: 'ccielab@groupstudy.com'
Subject: Broadcast storm- Please HELP
Hello All,
I am facing a broadcast storm on one of our customer backbone routers. I can
see in the ethernet counter that it is receiving the broadcast at the rate
of more than 10000 packets per second.
I already have net flow on the interface but 'm not able to find the root
cause. I am scared that this storm may bring the router down.
Can somebody please help or give some suggestions to deal with this
situation.
Thanks for your help.
____________________________________________________________________
****** _/ ****** | Mohit Sharma
***** _/ ***** | Network Operations Engineer
**** _/_/_/ _/_/_/ **** | HP Operations
**** _/ _/ _/ _/ **** |
**** _/ _/ _/_/_/ **** |
***** _/ ***** |
****** ******* | email: mohit_sharma@hp.com
|
i n v e n t |
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:10 GMT-3