How to identify and resolve multicast and broadcast storms in your network?

Zyxel_Kay
Zyxel_Kay Posts: 548  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer

This article will show how to see what device which is causing multicast or broadcast storms in your network and if there is a loop in the network. We will take a look at multicast storms & broadcast storms, where it comes from, how to find a multicast/broadcast storm. How to use the switch logs, port mirror (mirroring) and Wireshark to locate the multicast storm device causing the storms.

1. Introduction

1.1 Understanding Multicast & Broadcast Storms

A multicast and broadcast storm refers to an excessive amount of broadcast and multicast traffic that inundates a network. When these packets proliferate, they can impede network performance and strain network equipment resources, potentially causing network disruptions. Such issues are commonly referred to as "broadcast storms" and "multicast storms.”

1.2 Where does multicast & broadcast storm come from?

Broadcast packets are sent across the entire network to reach all network devices. Most devices do not require these broadcast packets and typically discard them. These packets are primarily used to inform other network devices about the existence of a specific device or to indicate their availability for communication. An example of a broadcast packet is a DHCP packet.

Multicast traffic functions similarly to broadcast traffic but targets a specific broadcast domain (ranging from 224.0.0.0 to 239.255.255.255) and is often employed for streaming video. Devices such as Chromecasts, Apple TVs, and IPTVs utilize multicast traffic for streaming video content over IP.

1.3 Identifying Multicast/Broadcast Storms

You can identify the presence of multicast or broadcast storms by:

a) Monitoring the network logs.

b) Observing a slowdown or instability in the network, which often affects specific segments of the network.

2. Locating your multicast/broadcast storm

Locating a multicast storm is pretty straight forward - you look in the logs of your switches.

For both standalone switches and Nebula switches, a broadcast and multicast storm is logged by the switch in the log system.

2.1 Finding storm - Switch Logs

This is the most easiest way to locate the broadcast/multicast storm. In this example, we can see that there are multicast storms happening in our network.

If we go to Switch > Event Logs, we can see that there is constant multicast storms happening on SW1 (GS1920-24) on port 23 and SW2 (Hidden name) on port 10

If we go into SW1 we can see that port 23 is an uplink, so it just means that the multicast storm has traveled to the uplink port from somewhere else. This is a natural behavior of a storm and doesn't say much because it can come from anywhere behind that uplink port.

If we look at SW2, we can see that port 10 is not an uplink port, and is connected to one single device.

If we click on port 10 to get to the port 10 page in Nebula and then scroll down to the MAC-table located below on the right of the screen, we can find out what MAC address is causing this multicast storm.

Use a MAC address lookup service, such as https://macvendors.com/ , to determine the type of device associated with the MAC address.

Now we have located where the storm is coming from and we need to find out why this Hewlett Packard is creating these multicast storms. This can be done by investigating the device, or we can call their support.

2.2 Finding storm - Port Mirroring

Some cases, you won't find the original device using the switch logs. Then you need to do a port mirroring, or using Wireshark to capture the packets on your PC.

So first, connect a PC to the network via cable, open Wireshark and choose what interface you're using (in my case I'm using my WiFi adapter to capture packets, but its best to connect yourself via cable directly to the switch. Then filter the multicast and broadcast storms with the filter:

  • multicast and broadcast

In my case, there was not something crazy happening, but we could see that there was broadcast packets coming from one particular device. If these packets were flooding my Wireshark logs (i.e. 30+ packets per second), I would need to address this issue by looking further into this device and why it's sending these packets.

You could see that the time (in seconds) are about one packet per second, which is not crazy at all.

Look at the MAC-address of this device, we can see the MAC address if we mark the broadcast packet from this Sagemcom device and look below the packet capture.

Now, because there was no IP address of this device we found earlier, we will instead open Advanced IP scanner to find out the IP address of that device through the MAC address we found:

It comes from our router 192.168.1.1 and we can either investigate that home router on our own. But in this case, it was only 1 packet per second, so I will leave this.

3. Solving a multicast and broadcast storm

Now you've found the source of the multicast or broadcast storm and of course, we want to solve it. There is four main ways you can solve the multicast/broadcast storms:

a) Identify if there's a loop in the network and remove the loop - the multicast/broadcast storms will disappear afterwards

b) Enable Storm control - to limit the amount of multicast, and/or broadcast, packets that is sent through the ports per second in order to drop the storm packets before they're even happening

c) Enable IGMP Snooping (for multicast storms only) - to control and steer the multicast traffic to only the devices that are asking for them and disregard the packets for everyone else

d) Disconnecting the device from the network - or contact the vendor support to see what's going on with that device because it's not normal to flood a network with multicast/broadcast packets

3.1 Enable Storm Control in Nebula Control Center

Navigate to the port(s) that where you have located your multicast/broadcast storm and set a storm control by navigating to Switch > Monitor > Switch > Port

Enable Storm control and start with the value 100 packets per second and then decrease to 70 if you're still experiencing storms.

3.2 Enable IGMP Snooping (only for multicast storms) in Nebula Control Center

IGMP snooping is kind of a big topic so we won't go into the theory of it. However, you can find where you configure this below.

Navigate to Switch > Configure > Advanced IGMP

Enable IGMP snooping with the switch on the top.

3.3 Dislocating or solving a faulty device behavior

If there is still multicast/broadcast storms happening that is disrupting your network, you need to disconnect the device from the network.

You can also contact the manufacturer (vendor) support of the device that is causing the storms to find out why its causing the storms and try to solve it by the device manufacturer (vendor) support.

Kay