1

I had two situations this week where my uplink provider had to disable our link because their router identified a broadcast storm. Unfortunately, they can't provide more information about the source of the problem.

What is the best way to identify what's causing this issue?

I have a Vyatta router between the uplink provider and my network. Is running "tcpdump broadcast" and logging it a viable solution?

This way maybe i could at least have a log and identify the IPs with more broadcast traffic if this issue happen again.

Fernando
  • 1,129
  • 6
  • 23
  • 32
  • 1
    broadcast storms are usually at layer 2, most layer 3 routers are configured to *not* forward ip broadcasts. Try to ask them what traffic caused the problem.how is your network configured? do you support ip multicast? – The Unix Janitor Feb 09 '12 at 12:53
  • What is your uplink's physical media? Ethernet? – Evan Anderson Feb 09 '12 at 13:11
  • @EvanAnderson Yes, Ethernet. – Fernando Feb 09 '12 at 15:17
  • @user37899 I'm trying to check the traffic that caused the problem with them and yes, my network support ip multicast. – Fernando Feb 09 '12 at 15:19
  • get some wireshark dumps, and i'll take a look. If you see a lot of trafic for FF:FF:FF:FF:FF:FF (L2) or 255.255.255.255 (L3) then these are broadcasts frames. Talk to your isp, they may hopefully know more, the disabled you for a reason, find out why. – The Unix Janitor Feb 09 '12 at 16:04

3 Answers3

2

There is more than one type of broadcast.

Layer 2 (network) broadcasts (traffic to the all-1's MAC address) are used by protocols like ARP to gather information on how to connect to a specific node when it already knows its higher-layer address (typically IP).

Layer 3 (IP) broadcasts (traffic to the subnet's highest address) serve entirely different functions.

If your network provider is impacted by layer 2 broadcast traffic, I seriously wonder at their level of competence.

Your network provider typically connects via an IP (layer 3) router, which does not pass layer 2 traffic at all.

The only layer 3 broadcasts of note are the typical Windows name service requests (WINS and the like)

This behaviour may indicate a hardware issue on the router, or at any other point in between the end nodes (your computer and the network provider.)

adaptr
  • 16,479
  • 21
  • 33
0

I'm not familiar with Vyatta but it's possible that there's some gratuitous arp happening (usually on failover events), causing the issue. This is a pretty common mechanism for force arp cache updates during failover, but can cause problems such as this depending upon how aggressive the broadcasts are and how sensitive the recipients are.

Worth looking into either way.

mcauth
  • 420
  • 2
  • 5
0

Thanks for everyone that answered!

After investigating this further, it looked like the arp cache limit was set to a very low value and it was not holding all hosts in our network.

After setting this to a bigger value, it solved the problem.

Fernando
  • 1,129
  • 6
  • 23
  • 32