1 2 Previous Next 20 Replies Latest reply: Apr 18, 2019 6:35 AM by Martin RSS

    How to recognize STP storm?

    Learner

      Hello all,

       

      How can I verify if there is an STP storm?

       

      The Wireshark capture on this one-switch ROAS setup with 4 hosts network sees many STP packets. But is there a sure way to verify there is an STP storm? and how to stop it if there is one?

       

       

      stp.jpg

         
        • 1. Re: How to recognize STP storm?
          Martin

          You mean Broadcast Storm ?  if so see Broadcast Storm (CCNA Complete Video Course Sample) - YouTube

          and see Spanning-tree, intermediate level - YouTube

           

          there are lots of BPDUs flowing between switches, 1 per vlan, that's ok unless you have other traffic (other things going on) that all together will bring CPU to 100%

          • 2. Re: How to recognize STP storm?
            Ing_Percy

            Hi!

             

            There are the following terms: Broadcast storm and switching loop

             

            In CLN you can see about it

            broadcast storm Vs switching loop

             

            Also videos about it

            Troubleshooting Broadcast Storms and Switching Loops - CompTIA Network+ N10-006 - 4.6 - YouTube

             

            Troubleshooting Switch Loops - CompTIA Network+ N10-005: 2.5 - YouTube

             

            Regards!

            • 3. Re: How to recognize STP storm?
              Peter McKenzie

              HI Learner this is a CCNP topic.

              Here is a some code you could put on your interface to stop broadcasts.

               

              config)# interface fast 0/1

              config-if)# storm-control broadcast level 50

              config-if)# storm-control action shutdown

               

              IF BROADCAST TRAFFIC OVER 50 PERCENT OF PORT BANDWIDTH  THE PORT WILL SHUTDOWN

               

              Here is a quote from a Cisco text

              Protecting Layer 2 > Network Access and Layer 2 Multicast

               

              Data storms in networks can be generated in several different ways, including an intentional denial of service (DoS) attack, a defective network interface card (NIC), a poorly programmed NIC driver, and so on. In order to prevent broadcast, multicast, or even unicast traffic from overwhelming a switch by an inordinate amount of traffic, the storm control feature offers the capability to set thresholds for these types of traffic on a per-port basis.

              Configuration options are on a port basis and offer the capability to specify traffic based on the percentage of bandwidth, bits per second (BPS) or packets per second (PPS). If the threshold is reached, you can either send a Simple Network Management Protocol (SNMP) trap message or shut down the port by placing it in an error-disable state. The configuration parameters are as follows:

              storm-control broadcast level <0.00 - 100.00> / bps / pps
              storm-control multicast level <0.00 - 100.00> / bps / pps
              storm-control unicast level <0.00 - 100.00> / bps / pps
              storm-control action trap
              storm-control action shutdown
              • 4. Re: How to recognize STP storm?
                Ismael da Silva Mariano

                        Hello, learner! How are you doing ?

                 

                        As i can imagine, a STP storm would stop all  communication through the internetwork.

                        If you still have access to one switch you can run one of the variations of the "SHOW SPANNING-TREE "  command  and check for any inconsistence.

                 

                         Bellow is a link from Cisco  about trobleshooting spanning-tree

                 

                 

                https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/troubleshooting/guide/b_Cisco_Nexus_9000_Seri…

                 

                 

                         Cheers!

                • 5. Re: How to recognize STP storm?
                  Martin

                  Normally STP and Cisco switch has prevention build in.  If same bpdu somehow comes back port will put into inconsistent mode and blocking or disabled state.

                   

                  Try it by plugin same cable into same switch. Aka Back to back link.

                  • 6. Re: How to recognize STP storm?
                    Samer

                    If you mean broadcast storm then you should see something like this if you captured traffic on your lan card and you will see the number of received packets increase very fast.

                    Broadcast.jpg

                    • 7. Re: How to recognize STP storm?
                      Learner

                      Hi Samer,

                       

                      Thanks for helping.

                       

                      I have a question on the screenshot. The time went from 102411 seconds to 102427 seconds. That's roughly a duration of 16 seconds. In that 16 seconds, there are 13 ARP requests, that's a lot?

                       

                      I thought the broadcast storm or switch loop would sent dozens of packets in one seconds.

                      • 8. Re: How to recognize STP storm?
                        ciscodaze1

                        hundred's, even thousands per second

                        • 9. Re: How to recognize STP storm?
                          Samer

                          apologize for the late reply since I'm on +3 GMT, yes this is just an example, but you would see it increase very fast to thousands, I once had problem like this when the partner/vendor designed the network to use one vlan for users+printers

                          and the printers were sending requests to get IPv6 address and this caused the whole network to go down, even IP phones which were on different vlan "voice vlan"....

                          • 10. Re: How to recognize STP storm?
                            Learner

                            Samer wrote:

                             

                            apologize for the late reply since I'm on +3 GMT, yes this is just an example, but you would see it increase very fast to thousands, I once had problem like this when the partner/vendor designed the network to use one vlan for users+printers

                            and the printers were sending requests to get IPv6 address and this caused the whole network to go down, even IP phones which were on different vlan "voice vlan"....

                             

                            It's because the printers are trying to IPv6 address in an IPv4 vlan?

                            • 11. Re: How to recognize STP storm?
                              Samer

                              I Wouldn't put it like this but the storm was in on same vlan with 300 computer and 150 printer

                              unfortunately I couldnt find any wireshark for the problem in my emails, but the problem caused by ipv6 multicast storm, and this overwhelmed the network physically as well we had to disable the printers ipv6 on all of them manually and then we implemented multicast storm control as well later on...

                              • 12. Re: How to recognize STP storm?
                                Learner

                                Martin wrote:

                                 

                                Normally STP and Cisco switch has prevention build in.  If same bpdu somehow comes back port will put into inconsistent mode and blocking or disabled state.

                                 

                                Try it by plugin same cable into same switch. Aka Back to back link.

                                 

                                 

                                I don't find a way to use Wireshark to capture anything on a physical switch. What commands would show me there is a switch loop or broadcast storm?

                                 

                                I just plugged the same cable into Fa0/3 and Fa0/7 on the same switch. The lights on the ports came up green.

                                 

                                The "show spann detail" output doesn't look too bad. In less than 60 seconds, on VLAN1, the BPDU count went from 429 to 450. So that seems normal.

                                 

                                But this obviously is a loop. Am I supposed to do something else to generate the loop traffic or broadcast storm?

                                 

                                 

                                 

                                SW1#

                                SW1#show clock

                                14:14:05.887 UTC Tue Apr 16 2019

                                SW1#

                                SW1#

                                SW1#show vlan br


                                VLAN Name                             Status    Ports

                                ---- -------------------------------- --------- -------------------------------

                                1    default                          active    Fa0/2, Fa0/4, Fa0/5, Fa0/6

                                                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11

                                                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15

                                                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

                                                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                                                Fa0/24, Gi0/1, Gi0/2

                                10   VLAN0010                         active

                                1002 fddi-default                     act/unsup

                                1003 trcrf-default                    act/unsup

                                1004 fddinet-default                  act/unsup

                                1005 trbrf-default                    act/unsup

                                SW1#

                                SW1#

                                SW1#show int trunk


                                Port        Mode             Encapsulation  Status        Native vlan

                                Fa0/3       desirable        n-isl          trunking      1

                                Fa0/7       desirable        n-isl          trunking      1


                                Port        Vlans allowed on trunk

                                Fa0/3       1-4094

                                Fa0/7       1-4094


                                Port        Vlans allowed and active in management domain

                                Fa0/3       1,10

                                Fa0/7       1,10


                                Port        Vlans in spanning tree forwarding state and not pruned

                                Fa0/3       1,10

                                Fa0/7       none

                                SW1#

                                SW1#

                                SW1#show spann detail


                                VLAN0001 is executing the ieee compatible Spanning Tree protocol

                                  Bridge Identifier has priority 32768, sysid 1, address 000d.bd5e.9f00

                                  Configured hello time 2, max age 20, forward delay 15

                                  We are the root of the spanning tree

                                  Topology change flag not set, detected flag not set

                                  Number of topology changes 1 last change occurred 00:13:46 ago

                                          from FastEthernet0/3

                                  Times:  hold 1, topology change 35, notification 2

                                          hello 2, max age 20, forward delay 15

                                  Timers: hello 0, topology change 0, notification 0, aging 300


                                Port 3 (FastEthernet0/3) of VLAN0001 is designated forwarding

                                   Port path cost 19, Port priority 128, Port Identifier 128.3.

                                   Designated root has priority 32769, address 000d.bd5e.9f00

                                   Designated bridge has priority 32769, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 0, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 1

                                   Link type is point-to-point by default

                                   BPDU: sent 429, received 1


                                Port 7 (FastEthernet0/7) of VLAN0001 is backup blocking

                                   Port path cost 19, Port priority 128, Port Identifier 128.7.

                                   Designated root has priority 32769, address 000d.bd5e.9f00

                                   Designated bridge has priority 32769, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 1, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 0

                                   Link type is point-to-point by default

                                   BPDU: sent 1, received 430



                                VLAN0010 is executing the ieee compatible Spanning Tree protocol

                                  Bridge Identifier has priority 32768, sysid 10, address 000d.bd5e.9f00

                                  Configured hello time 2, max age 20, forward delay 15

                                  We are the root of the spanning tree

                                  Topology change flag not set, detected flag not set

                                  Number of topology changes 1 last change occurred 00:13:48 ago

                                          from FastEthernet0/3

                                  Times:  hold 1, topology change 35, notification 2

                                          hello 2, max age 20, forward delay 15

                                  Timers: hello 1, topology change 0, notification 0, aging 300


                                Port 3 (FastEthernet0/3) of VLAN0010 is designated forwarding

                                   Port path cost 19, Port priority 128, Port Identifier 128.3.

                                   Designated root has priority 32778, address 000d.bd5e.9f00

                                   Designated bridge has priority 32778, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 0, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 1

                                   Link type is point-to-point by default

                                   BPDU: sent 430, received 1


                                Port 7 (FastEthernet0/7) of VLAN0010 is backup blocking

                                   Port path cost 19, Port priority 128, Port Identifier 128.7.

                                   Designated root has priority 32778, address 000d.bd5e.9f00

                                   Designated bridge has priority 32778, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 1, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 0

                                   Link type is point-to-point by default

                                   BPDU: sent 1, received 431


                                SW1#

                                SW1#

                                SW1#show spann detail


                                VLAN0001 is executing the ieee compatible Spanning Tree protocol

                                  Bridge Identifier has priority 32768, sysid 1, address 000d.bd5e.9f00

                                  Configured hello time 2, max age 20, forward delay 15

                                  We are the root of the spanning tree

                                  Topology change flag not set, detected flag not set

                                  Number of topology changes 1 last change occurred 00:14:28 ago

                                          from FastEthernet0/3

                                  Times:  hold 1, topology change 35, notification 2

                                          hello 2, max age 20, forward delay 15

                                  Timers: hello 0, topology change 0, notification 0, aging 300


                                Port 3 (FastEthernet0/3) of VLAN0001 is designated forwarding

                                   Port path cost 19, Port priority 128, Port Identifier 128.3.

                                   Designated root has priority 32769, address 000d.bd5e.9f00

                                   Designated bridge has priority 32769, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 0, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 1

                                   Link type is point-to-point by default

                                   BPDU: sent 450, received 1


                                Port 7 (FastEthernet0/7) of VLAN0001 is backup blocking

                                   Port path cost 19, Port priority 128, Port Identifier 128.7.

                                   Designated root has priority 32769, address 000d.bd5e.9f00

                                   Designated bridge has priority 32769, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 1, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 0

                                   Link type is point-to-point by default

                                   BPDU: sent 1, received 451



                                VLAN0010 is executing the ieee compatible Spanning Tree protocol

                                  Bridge Identifier has priority 32768, sysid 10, address 000d.bd5e.9f00

                                  Configured hello time 2, max age 20, forward delay 15

                                  We are the root of the spanning tree

                                  Topology change flag not set, detected flag not set

                                  Number of topology changes 1 last change occurred 00:14:30 ago

                                          from FastEthernet0/3

                                  Times:  hold 1, topology change 35, notification 2

                                          hello 2, max age 20, forward delay 15

                                  Timers: hello 1, topology change 0, notification 0, aging 300


                                Port 3 (FastEthernet0/3) of VLAN0010 is designated forwarding

                                   Port path cost 19, Port priority 128, Port Identifier 128.3.

                                   Designated root has priority 32778, address 000d.bd5e.9f00

                                   Designated bridge has priority 32778, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 0, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 1

                                   Link type is point-to-point by default

                                   BPDU: sent 451, received 1


                                Port 7 (FastEthernet0/7) of VLAN0010 is backup blocking

                                   Port path cost 19, Port priority 128, Port Identifier 128.7.

                                   Designated root has priority 32778, address 000d.bd5e.9f00

                                   Designated bridge has priority 32778, address 000d.bd5e.9f00

                                   Designated port id is 128.3, designated path cost 0

                                   Timers: message age 1, forward delay 0, hold 0

                                   Number of transitions to forwarding state: 0

                                   Link type is point-to-point by default

                                   BPDU: sent 1, received 452


                                SW1#

                                SW1#

                                SW1#show clock

                                14:15:06.423 UTC Tue Apr 16 2019

                                SW1#

                                • 13. Re: How to recognize STP storm?
                                  Ing_Percy

                                  Hi!

                                   

                                  The lights in the connection between switchport in the same switch can be green even if it is a bucle. Only in Cisco Packet tracer you can see the lights of BLOCKING to learn the concepts of STP (Process of study)

                                   

                                  If STP is enabled, and the switchports is connecting between them in the same switch then one switchport will be BACKUP port.

                                   

                                  Reference: https://ccieblog.co.uk/spanning-tree/rstp-alternate-and-backup-ports

                                   

                                  Regards!

                                  • 14. Re: How to recognize STP storm?
                                    Learner

                                    Ing_Percy wrote:

                                     

                                    Hi!

                                     

                                    The lights in the connection between switchport in the same switch can be green even if it is a bucle. Only in Cisco Packet tracer you can see the lights of BLOCKING to learn the concepts of STP (Process of study)

                                     

                                    If STP is enabled, and the switchports is connecting between them in the same switch then one switchport will be BACKUP port.

                                     

                                    Reference: https://ccieblog.co.uk/spanning-tree/rstp-alternate-and-backup-ports

                                     

                                    Regards!

                                     

                                    I just notice now. In the output I have above, the port F0/7 is in the mode of backup blocking for both VLAN1 and VLAN10. STP is working and there is no loop.

                                     

                                    So what does Martin wanted me to try and see? 

                                    1 2 Previous Next