Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7585
Views
5
Helpful
2
Replies

How to identify broadcast traffic source on vlan1 cisco 2960 switch

ciscokalpesh
Level 1
Level 1

‎10-30-2017 04:31 AM - edited ‎03-08-2019 12:33 PM

Hello All,

We have flat VLAN1 network and are facing issue with broadcast traffic on a particular switch. We have Cisco switch with below details,

Model: WS-2960-48TT-L

SW Version: 12.2(25)SEE4

SW Image: C2960-LANBASEK9-M

 

The ports on this switch are connected with different Wireless ISP routers and Point-2-Point devices as well as to some computers.

One of the ISP has complains that there is lot of broadcast traffic getting generated from the port connected from our switch to their router only during weekend and at late hours. During this time, there is no activity on the network since it is an off-day and also we do not suspect any such scheduled activity that would cause this. It has just started from past few weeks and happens once a week for few hours only !

To troubleshoot, i thought to connect a computer to that switch with Wireshark and configure Port Monitor options. I configured it as follows,

Switch(config)#monitor session 1 source interface Fa0/12 (This port connects to ISP's router)

Switch(config)#monitor session 1 destination interface Fa0/14 (This port connects to computer with Wireshark)

The issue is that the moment i configure the monitor for destination command, that computer cannot be reached from the network. The port on the switch to which the computer is connected is Green, but when i check from the switch it shows Status as UP but Protocol as DOWN.

 

Can someone guide if this is normal or is there any other way to monitor traffic in order to identify the source of broadcast traffic being generated as described above.

 

I hope i am able to explain clearly.

 

Any guidance shall be highly appreciated.

 

Regards,

K

 

 

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-30-2017 05:24 AM

Hello,

 

the command:

 

show controllers ethernet-controller

 

gives you statistics about a.o. the broadcast frames processed on an interface. I would manually check all ports you suspect for excessive broadcast frames.

 

Also, in order to remedy the problem in the meantime, you can use the interface command 'storm-control broadcast', e.g.:

 

storm-control broadcast level 20

ciscokalpesh
Level 1
Level 1
In response to Georg Pauwen

‎10-30-2017 05:56 AM

Hello Georg,

 

Thanks for the reply.

The command "show controllers ethernet-controller" is very informative. I am not very good with the numbers i see in the output, but would try to figure out the ones' with the maximum broadcast frames and focus on that.

 

I will enable the storm-control on all the interface that are connected on the switch except the ISP's port and watch on the weekend. Shall i also enable it on the trunk/uplink interface ?

 

With above done, even if i identify the port on this switch, there would be many sites from which the traffic would be generating, so i was thinking to enable port monitor as source on the ISP's interface on the switch and connect a computer with Wireshark as destination and capture the traffic over weekend. Do you think this will help in finding the source of the broadcast ? If yes, then i am also facing issue with its config as explained above, that the destination port on the switch (i.e. computer's) cannot be reached through network. The Status on the switch of that port is UP but Protocol is DOWN.

 

Can you please guide on that.

 

Thanks again.

K

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card