HPE Community
Aruba & ProVision-based
1752832 Members
3468 Online
108789 Solutions
New Discussion

Re: How to control broadcast traffic with 5800 series switches

 
SOLVED
Go to solution
rhinkamper
Occasional Contributor

‎01-18-2013 09:23 AM

‎01-18-2013 09:23 AM

How to control broadcast traffic with 5800 series switches

I have been tasked with preventing broadcast issues in a LAN without the use of a VLAN. I would personally like to use VLAN's, but it is out of my hands (for now). I have 5800 series Procurve switches and was looking at implementing the "Automatic Broadcast Control" (ABC), but I am not sure of the positives vs. negatives. Can someone lay it out?

0 Kudos
2 REPLIES 2
paulgear
Esteemed Contributor

‎01-18-2013 01:52 PM

‎01-18-2013 01:52 PM

Re: How to control broadcast traffic with 5800 series switches

Hi rhinkamper,

Broadcast suppression will help to reduce the impact of broadcasts if they are a cause of performance issues on your network.

I've found that broadcast control must be set to a very low percentage (i've used 1-5%) to make a difference, if they make any difference at all. On Comware, you can use a packet-per-second count, so this allows you to tune them down to a lower value.

Note also that broadcast control will also drop multicast traffic. Both multicast and broadcast are used for normal operation of a network, so you may experience some problems when dropping them. A much better solution (as you noted) is to reduce the size of the broadcast domain by segmenting into smaller VLANs.
Regards,
Paul
0 Kudos
Peter_Debruyne
Honored Contributor

‎01-19-2013 05:15 AM

‎01-19-2013 05:15 AM

Solution

Re: How to control broadcast traffic with 5800 series switches

Hi,

 

Paul is right, the broadcast limit should be very low to be effective. Most non-multicore end-point devices will be at 100% cpu load if they get like 200Mbps of broadcast traffic.

 

As mentioned, on Comware you can set the value in packets per second (pps), so I typically set a value between 200-2000pps, depending on edge ports or uplink ports and customer input.

 

Consider that broadcasts are only used for some name services, dhcp and arp, so you should never reach 200pps.

 

Comware also allows you to control broadcast and multicast with separate values, so you can really put tight control on broadcast traffic, while allowing more packets for multicast applications.

If you expect eg 20Mbps multicast video streams, depending on the actual packet size you can roughly set 5000pps (assuming 500bytes payload per packet)

 

The last security feature of Comware is the unknown unicast suppression. When a L2 switch receives a frame with an unknown destination mac address, this frame will be flooded to all ports. This can be a very easy technique for 1 system to overload the entire network (just sent a bogus udp stream to an unknown unicast dst mac and all ports of that vlan will be getting that stream).  The feature is unknown unicast suppression, the actual command is "unicast-suppression", so do not let the command confuse you.

 

This is a typical edge port configuration:

int range g1/0/1 to g1/0/24

 broadcast-suppression pps 200
 multicast-suppression pps 200
 unicast-suppression pps 200


For uplinks you can either apply the same values or increase them to respect the aggregation number of all the edge ports.

 

Make sure to configure this on all the switches, and all switch ports.

 

When you have IMC, you should also enable monitoring of the incoming broadcast packets per second and set an alert if it passes a value of eg 150. The problem with the aggressive suppression values is that you will not notice there is a loop on the network, so your monitoring system should notify you.

 

Best regards,Peter.

 

 

 

 

 

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.