Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Network Flood

Monther Yasin
Occasional Visitor

Network Flood

I have had few incidents where the network slows down to be unusable, most of the switches shows 100% traffic on many ports. tracking it down, it end up being one device on the network causing this flood. One instance it was VoIP phone and other it was just a bad cable. Any body else had this type of issue also anyone aware of any device that I can plug to point me to the bad node that is flooding the network. Last time, i ran wireshark and unpluged one uplink at a time to get to the source switch and did the same for every port on the switch. I am not running any spanning tree or port turnking.

Thank for your help.
8 REPLIES
Mohammed Faiz
Honored Contributor

Re: Network Flood

Hi,

What series of switches are you running?
You can get the output of logs collated in Procurve Manager that will report any excess broadcasts on ports (depending on the size of your network this maybe useful or just information overload).
Monther Yasin
Occasional Visitor

Re: Network Flood

Thanks for your reply. I have few of 5406zl, 4200zl, 3400cl and some of 2800 and 2600. During the incident I have seen many excessive ports on almost all switches in the procurve manager but had a hard time to point to the source port.
Mohammed Faiz
Honored Contributor

Re: Network Flood

The first port (sorted on time) to report an issue in PCM should be your first suspect.
On the 5400 series you can limit broadcast traffic inbound on a port (so sensible to do on your distribution level if you have this issue often). For example:

5400(config)# interface A1 rate-limit bcast in percent 20
Richard Brodie_1
Honored Contributor

Re: Network Flood

Another way to approach the problem is to see what your network is being flooded with. If wireshark gives you a useful source address, you can just unplug or MAC ban the offending device.
Trevor Commulynx
Regular Advisor

Re: Network Flood

Turn on spanning Tree. you will probably find someone has created a loop on your network. or you can run the Loop detect if you dont want to run spanning tree.

TRev.
Monther Yasin
Occasional Visitor

Re: Network Flood

Thanks for everyone's reply.

I guess the question is can I turn on spanning tree to prevent loop back without having multiple links "port trunking" enabled.

Mohammed Faiz
Honored Contributor

Re: Network Flood

It's the other way around. You cannot have multiple links that are not trunks if you don't use spanning tree.

i.e.

- Mulitple links in Trunks without spanning tree = OK

- Multiple links without spanning tree = BAD

- Multiple links with spanning tree = OK
netvis
Advisor

Re: Network Flood

HP switches include built-in traffic monitoring using the sFlow standard. Setting up sFlow traffic monitoring on the switches would let you quickly identify the source address, protocol and location of the packet flood.

For more information:
http://blog.sflow.com/2009/06/trying-out-sflow.html