Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5639
Views
6
Helpful
8
Replies

%STORM_CONTROL-3-SHUTDOWN - How do know if mulitcast or broadcast triggered it

jmandersson
Level 1
Level 1

‎11-13-2015 04:12 AM - edited ‎03-08-2019 02:41 AM

Hi Experts,

I'm trying to tune our Storm-Control settings on host ports and have problems to determine if it's broadcast or multicast levels that's need to be adjusted.

When the upper level has been exceeded, a syslog is generated but it does not includ information if it was broadcast or multicast. show storm-control interface only show current level so it does not help me.

Any creative idea's are welcome!

Regards,

JOhan

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-13-2015 08:36 AM

Hello Johan,

I belive show strom-control can give details with interface , type , filter state , upper , lower level and current rate.

Hope it Helps..

-GI

0 Helpful

jmandersson
Level 1
Level 1
In response to Ganesh Hariharan

‎11-15-2015 11:14 PM

Hi,

No, show storm-control only show configured values and current rate. That does not help me to afterwards determine which of the threshold that where exceeded.

/

Johan

0 Helpful

InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎11-15-2015 11:19 PM

Johan,

The below link will help you:-

http://www.netcraftsmen.com/understanding-cisco-traffic-storm-control/

http://packetlife.net/blog/2008/nov/27/storm-control/

HTH

Regards

Inayagth

0 Helpful

jmandersson
Level 1
Level 1
In response to InayathUlla Sharieff

‎11-15-2015 11:55 PM

Hi Inayagth,

Thanks for the link, good info indeed.

Packetlifes blogpost show an intressting difference:

Packelifes example log:" %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Fa0/5. A packet filter action has been applied on the interface."

Fro the switches I'm currently working on (3650):  %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi1/0/28. The interface has been disabled.

The 3650 does not point out that it was a broadcast storm, it just says a paket storm

The blogpost on Netcraftsmen do help, it explains that there are in fact one threshold, not seperate for Broadcast, Multicast or Unicast.  Unforuntally it seems to be platform dependet.

johnnylingo
Level 5
Level 5
In response to jmandersson

‎02-10-2016 11:54 AM

I have Storm Control enabled on a  3750 stack, code 15.0(2)SE8.  I do see a distinction in the logs:

%STORM_CONTROL-3-FILTERED: A Unicast storm detected on Gi2/0/21. A packet filter action has been applied on the interface

I assuming the 3650 is running IOS-XE?  Perhaps that's why the messaging is different.

0 Helpful

johnnylingo
Level 5
Level 5
In response to johnnylingo

‎02-10-2016 12:58 PM

I added the "storm-control action shutdown" statement on my ports and now see these:

%PM-4-ERR_DISABLE: storm-control error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
%STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi1/0/1. The interface has been disabled.

So I'd conclude that the log message only differentiates unicast/broadcast/multicast when filtering.  Enabling shutdown causes it to not log which type of storm occurred.

jmandersson
Level 1
Level 1
In response to johnnylingo

‎02-11-2016 01:32 AM

That's an interessting finding. I will definitly test that.

Thanks!

0 Helpful

simr1874
Level 1
Level 1

‎04-20-2022 08:23 PM

Hello Guys,

 

I am getting the events on Qradar about Multicast storm detected on Te0/5/8. A packet filter action has been applied on the interface. I just wanted to know that is there an security issue with this or not?

Thanks,

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card