Annoying layer 2 broadcasting!

coffee_monkey · ‎02-12-2016

Hi all,

I'd like to wish you guys are all the best and healthy with your family in this new year!

Recently, I have a company from my well developed Cisco 4500E series switches in my office. Simply say, some server switch port was enforce to be disable due to too many exceeding layer 2 broadcast triggered, may be virus or vulnerability somehow. My job is to wake up at the midnight then manually enable the port every time, that was so evil ~_~

So my question is it the only way to discard those annoying broadcast or shut down the ports by defined ACL. Any advice to predict the broadcast from the server, or it can effectively suppress the broadcast frame but don't let the ACL suspend the port?

Very appreciate if you could give some suggestion on it.

Regards

Eddy

Mark Malone · ‎02-13-2016

Hi have a look into storm control you can use that to manage broadcasts storms a bit

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/37sg/configuration/guides/config/bcastsup.html

But you should also try and capture the storm as well using wire shark and try an source the problem whether virus / faulty nic etc

Heres an EEM script you can manipulate with your vlans/ports it will send you syslog to notify there is a storm happening so you can try capture it

event manager applet BROADCAST-STORM
event interface name "Vlan1" parameter receive_broadcasts entry-val 3000 entry-op gt entry-type rate poll-interval 30 average-factor 5
action 1.0 syslog msg "BROADCAST STORM DETECTED"