Broadcast Storm

PWH · October 4, 2007, 3:55am

How do yall deal with broadcast storms

Jerry_Richardson · October 4, 2007, 4:36am

On every SM that is in bridge mode block the following:

PPPoE
SMB (Network Neighborhood)
SNMP
Bootp Client
Bootp Server
IPv4 Multicast

You will cease to have Multicast broadcast storms.

vince · October 4, 2007, 6:33pm

I asked this question to jerry but maybe someone else will know. We should have all of our SMs with the filters mentioned above. the one thing that really gets us is if we miss the multicast filter.

everyone knows the thing that causes the icmp storm is a signal igmp request. Is there a way to prompt the igmp request to track down any SM’s that arnt filtered correctly?

erkan · October 4, 2007, 7:23pm

We have solved this problems in fe steps:

1. PPPoE, you can put much better filters than if you use static IP. Only first and last field of the filters page are unchecked.
2. Management VLANs for APs and SMs.
3. Elimination of the CMMs, this is ongoing, we will use Cisco Catalyst 29xx. Every unit will get it’s own port with limitation for broadcast packets so the problems will be isolatet to one AP.
4. AP or BH can only comunicate with the router.
5. All the SMs connected to AP can’t communicate with each other.
6. Multi ast MIR is limited to 16.

dats · October 8, 2007, 12:56pm

Erkan,

Can you please explain a bit more. How do you implement PPPoE? What setting do you need in your switch/router? Do you use a RADIUS server? Thanks for any response!

attitude0330 · October 8, 2007, 9:57pm

You don’t have to eliminate all the CMMmicros to do this. just enable SM isolation in the AP, enable AP isolation in the CMMmicro, give the BH a uplink port in the CMMmicro, and terminate all BH’s into a layer 3 switch with VLAN’s. This way all SM traffic will have to go directly to the Layer 3 switch or router and all broadcast, multicast traffic will be dropped. No SM to SM traffic will be allowed.

As for PPPoE the answer is yes the SM if in NAT, or a router if not, must authenticate with a Radius server to allow traffic to flow to the SM creating a tunnel between the SM and gateway basucally doing the same thing as the built in features I mentioned above. If you are not running Prizm for authentication then PPPoE is a good way to secure the network, But the drawback is more overhead.

erkan · October 8, 2007, 10:35pm

dats,
We use Slackware Linux routers for termination, pppoe-server is the daemon.Authentification is on Free Radius and the database is Oracle, but you can use mysql or what ever you want.
You can do this without switch, but you have more options with the switch.

attitude0330,
Our normal POP has 600-1000 SMs, 12 APs, 2 or 3 CMMs. All the CMMs are connected to each other and the mac address table is so big that the CMM couldn’t memorize all the mac and becomes to act as a hub. This generates 1-2 megs of broadcast traffic which comes to the Ethernet port of the APs, and it’s discarded there, but passes trough BH20 to the slave side. All those discards add more pressure to the APs which usually have up to 100 SMs connected and is already pushed to the limits.
The plan is to use the Cisco switches, each unit into separate port. They will receive 24 V and sync trough patch panel which is connected to CMM for the sync. This is in test phase but it’s working good for time being.
On the port of the switch there will be limitations for the broadcast traffic which will isolate the problems on only one AP. Management will be in different vlan for different POPs, and the traffic from the users will come in VLAN1 so we can tag it on the switch and implement good layer2 network with RSTP and vlan prioratization.
Finaly we can connect one site with two BH20 from different side and use load balancing without a router.