Broadcast Storm Containment in HP ProCurve Switches (K/KA/KB 15.15.xxx)

Broadcast storms can severely degrade network performance, even crash a network. They are mostly caused by loops at Layer 2. They may also be caused by DoS smurf attacks, or simply by a fault in NICs. For example, it has been known that certain Intel NICs continuously send out ICMPv6 packets and flood the network with these packets while the host machines are in sleep mode.

In HP ProCurve switches, a number of techniques can be used to restrict broadcast traffic while the root cause of the broadcast storm is being tracked down.

Using the fault-finder command:

From K.15.15.xxx the fault-finder command has more options for broadcast traffic.

The general syntax is:

fault-finder broadcast-storm port-list action [warn | warn-and-disable seconds] [percent percent | pps rate]

Where:

- “percent” is the threshold level as a percentage of bandwidth of the port.
- “pps” is the threshold level in number of broadcast packets per second.
- “warn” is the action of logging the event only.
- “warn-and-disable” is the action of logging the event and disabling the port.
- “seconds” is the waiting period before re-enabling the port, ranging from 0 to 604800 seconds. The zero
value means the port cannot be re-enabled automatically.

For example, “Fault-finder broadcast-storm A1-A10 action warn-and-disable 10 percent 40” will issue a warning and disable ports A1-A10 when a broadcast storm is detected at 40% port capacity. The ports will be re-enabled after 10 seconds.

To verify this configuration, use the command:

show fault-finder broadcast-storm

For the example above, the output will be as follows:

Limiting outbound broadcast traffic:

In the port context, the following command can be used to limit the OUTBOUND broadcast traffic in port capacity percentage. For example, the following command will allow outbound broadcast traffic up to 1 percent of the capacity of port A11. If port A11 is a 1G port then the outbound broadcast traffic is limited to 10 Mbps.

interface A11
    broadcast-limit 1

The range for “broadcast-limit” is 0 to 99. A value of zero disables broadcast limiting on the specified port.

To verify this configuration, use the command “show interfaces brief A11” and notice the last column:

Limiting inbound broadcast traffic

For limiting INBOUND broadcast traffic on specific ports, use the following command in the port context. For example, the command below limits inbound broadcast traffic to 10% of the port capacity:

interface A12
    rate-limit bcast in percent 10

To verify this configuration, use the command “show rate-limit bcast”. For example: