Switching - Troubleshooting Multicast & Broadcast Storms

This article will show how to see what device which is causing multicast or broadcast storms in your network and if there is a loop in the network. We will take a look at multicast storms & broadcast storms, where it comes from, how to find a multicast/broadcast storm. How to use the switch logs, port mirror (mirroring) and Wireshark to locate the multicast storm device causing the storms.

 

1) Introduction

1.1 What is a multicast & broadcast storm?

A broadcast/multicast storm is a lot of broadcast and multicast traffic that flood a network. When there is a lot of these packets it may affect the performance of the network and require a lot of resources of the installed network equipment, which may disrupt the network. These issues are called "broadcast storms" and "multicast storms".

 

1.2 Where does multicast & broadcast storm come from? 

Broadcast packets are sent throughout the network to all network devices in a network. Most devices don't need these broadcast packets and will discard them. It's mostly used to let other network devices in a network aware that a particular device exists, or let other devices know that they are available for communication. An example of a broadcast packet could be a DHCP packet. 

Multicast traffic comes in form of a type of broadcast. It will send packets to all devices in a particular broadcast domain (224.0.0.0 to 239.255.255.255) and is often used for streaming video. Chromecasts, Apple TVs, IPTVs etc. all use multicast traffic to stream video over IP. 

 

1.3 How do I know if I have a multicast/broadcast storm

a) You will find Multicast/broadcast storm in the logs

b) Slow and/or unstable network, often only for some parts of the network

 

2) Locating your multicast/broadcast storm

Locating a multicast storm is pretty straight forward - you look in the logs of your switches.

For both stand-alone switches and Nebula switches, a broadcast and multicast storm is logged by the switch in the log system. 

 

2.1 Finding storm - Switch Logs

This is the most easiest way to locate the broadcast/multicast storm. In this example, we can see that there are multicast storms happening in our network.

If we go to Switch -> Event Logs, we can see that there is constant multicast storms happening on SW1 (GS1920-24) on port 23 and SW2 (Hidden name) on port 10

If we go into SW1 we can see that port 23 is an uplink, so it just means that the multicast storm has traveled to the uplink port from somewhere else. This is a natural behavior of a storm and doesn't say much because it can come from anywhere behind that uplink port.

 

If we look at SW2, we can see that port 10 is not an uplink port, and is connected to one single device.

If we click on port 10 to get to the port 10 page in Nebula and then scroll down to the MAC-table located below on the right of the screen, we can find out what MAC address is causing this multicast storm.

 

If we then go into https://macvendors.com we can see what type of device it is: 

Now we have located where the storm is coming from and we need to find out why this Hewlett Packard is creating these multicast storms. This can be done by investigating the device, or we can call their support.

 

2.2 Finding storm - Port Mirroring 

Some cases, you won't find the original device using the switch logs. Then you need to do a port mirroring, or using Wireshark to capture the packets on your PC.

Take a look at this article for how to use port mirroring:

Nebula Debugging - Port mirroring & Packet Capturing

 

2.3 Finding storm - Wireshark

Some cases, you won't find the original device using the switch logs. Then you need to do a port mirroring, or using Wireshark to capture the packets on your PC.

 

So first, connect a PC to the network via cable, open Wireshark and choose what interface you're using (in my case I'm using my WiFi adapter to capture packets, but its best to connect yourself via cable directly to the switch. Then filter the multicast and broadcast storms with the filter:

multicast and broadcast

 


In my case, there was not something crazy happening, but we could see that there was broadcast packets coming from one particular device. If these packets were flooding my Wireshark logs (i.e. 30+ packets per second), I would need to address this issue by looking further into this device and why it's sending these packets.

You could see that the time (in seconds) are about one packet per second, which is not crazy at all. 

Look at the MAC-address of this device, we can see the MAC address if we mark the broadcast packet from this Sagemcom device and look below the packet capture.

 

Now, because there was no IP address of this device we found earlier, we will instead open Advanced IP scanner to find out the IP address of that device through the MAC address we found: 

 

It comes from our router 192.168.1.1 and we can either investigate that home router on our own. But in this case, it was only 1 packet per second, so I will leave this. 

 

3) Solving a multicast and broadcast storm

Now you've found the source of the multicast or broadcast storm and of course, we want to solve it. There is four main ways you can solve the multicast/broadcast storms:

a) Identify if there's a loop in the network and remove the loop - the multicast/broadcast storms will disappear afterwards

b) Enable Storm control - to limit the amount of multicast, and/or broadcast, packets that is sent through the ports per second in order to drop the storm packets before they're even happening

c) Enable IGMP Snooping (for multicast storms only) - to control and steer the multicast traffic to only the devices that are asking for them and disregard the packets for everyone else

d) Disconnecting the device from the network - or contact the vendor support to see what's going on with that device because it's not normal to flood a network with multicast/broadcast packets

 

3.1 Enable Storm Control

3.1.1 In Stand-alone

Navigate to Advanced Application -> Broadcast Storm Control and then configure the ports where you have located your multicast/broadcast storm:

Enable Storm control on those ports where it's needed and start with the value 100 packets per second and then decrease to 70 if you're still experiencing storms.

 

3.1.2 In Nebula

Navigate to the port(s) that where you have located your multicast/broadcast storm and set a storm control by navigating to Switch -> Monitor -> Switch -> Port 

Enable Storm control and start with the value 100 packets per second and then decrease to 70 if you're still experiencing storms.

 

3.2 Enable IGMP Snooping (only for multicast storms)

IGMP snooping is kind of a big topic so we won't go into the theory of it. However, you can find where you configure this below.

 

3.2.1 In Nebula

Navigate to Switch -> Configure -> Advanced IGMP

Enable IGMP snooping with the switch on the top.

 

3.2.2 In Stand-alone

Navigate to Advanced Application -> Multicast -> IPv4 Multicast -> IGMP Snooping

Click on "Active", hit apply and then save your configuration before leaving the switch.

 

Read more here:

How to configure IGMP Snooping for multicast clients in the same LAN 

 

3.3 Dislocating or solving a faulty device behavior

If there is still multicast/broadcast storms happening that is disrupting your network, you need to disconnect the device from the network. 

You can also contact the manufacturer (vendor) support of the device that is causing the storms to find out why its causing the storms and try to solve it by the device manufacturer (vendor) support.

Articles in this section

Was this article helpful?
7 out of 8 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.