Solved: Re: Strom control. How to find storming vlan?

Alex M · ‎10-12-2017

Hi,

I've got a cisco 6500 switch and dot1q trunk on one of its ports. But sometimes I face with storm on some vlan on the trunk. And I still can't find any useful way to detect which of vlans storms my switch. Of course, I can check all counters on vlan interfaces, but it's so long. Is there any simple way to detect a guilty vlan?

P.S. : Sorry for my English.

Austin Sabio · ‎10-13-2017

Typically, storm control is a type of traffic control in layer-2 environment mainly deployed on access ports. Therefore, you have a mechanism for storm control that can take action with the shutdown mode or can be useful by identifying exact switch ports based on SNMP traps. Keep in mind, storm control needs to be placed closest to the suspected source and placing storm control on trunk defeat this purpose..

Router# show top counters interface report 1
Started By        : console
Start Time        : 08:18:25 UTC Tue Nov 23 2004
End Time          : 08:19:42 UTC Tue Nov 23 2004
Port Type         : All
Sort By           : util
Interval          : 76 seconds
Port    Band  Util Bytes       Packets     Broadcast  Multicast  In-  Buf-
        width      (Tx + Rx)   (Tx + Rx)   (Tx + Rx)  (Tx + Rx)  err  ovflw
------- ----- ---- ----------- ----------- ---------- ---------- ---- -----
Fa2/5   100   50   726047564   11344488    11344487   1          0    0   
Fa2/48  100   35   508018905   7937789     0          43         0    0   
Fa2/46  100   25   362860697   5669693     0          43         0    0   
Fa2/47  100   22   323852889   4762539     4762495    43         0    0   
Fa2/6   100   15   217815835   3403372     0          39         21   0   
Fa2/44  100   10   145146009   2267900     0          43         0    0   
Gi4/15  1000  0    0           0           0          0          0    0   
Gi4/14  1000  0    0           0           0          0          0    0   
Gi4/13  1000  0    0           0           0          0          0    0   
Gi4/12  1000  0    0           0           0          0          0    0   
Gi4/11  1000  0    0           0           0          0          0    0   
Gi4/10  1000  0    0           0           0          0          0    0   
Gi4/9   1000  0    0           0           0          0          0    0   
Gi4/8   1000  0    776         2           0          2          0    0   
Gi4/7   1000  0    0           0           0          0          0    0   
Gi4/6   1000  0    0           0           0          0          0    0   
Gi4/5   1000  0    0           0           0          0          0    0   
Gi4/4   1000  0    0           0           0          0          0    0   
Gi4/3   1000  0    776         2           0          2          0    0   
Gi4/2   1000  0    0           0           0          0          0    0

Switch# show interfaces counters storm-control
 Port Broadcast Multicast Level TotalSuppressedPackets
 Fa2/1 Enabled Disabled 10.00% 46516510
 Gi3/1 Enabled Enabled 50.00% 0
 Switch# show storm-control
 Interface Filter State Broadcast Multicast Level
 --------- ------------- --------- --------- -----
 Fa2/1 Blocking Enabled Disabled 10.00% 
 Gi3/1 Link Down Enabled Enabled 50.00%

However, in the case of how to detect flooding vlan, bascially you are asking how to monitor vlan's traffic then go with SVI monitorting using MRT or PRTG.

I hope this helps and good luck! Please don't forget to mark correct and helpful answers to benefit others.
-Austin

View solution in original post

Austin Sabio · ‎10-12-2017

Please see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/storm.html#67475

useful links:

http://packetlife.net/blog/2008/nov/27/storm-control/

https://www.netcraftsmen.com/understanding-cisco-traffic-storm-control/

I hope this helps and good luck!

-Austin

Alex M · ‎10-12-2017

Thank you for your reply!
I forgot to write, I had configured strom control on physical port. And I sometimes see messages in logs: "%PM_PLATFORM-5-PORTDROP: Port GigabitEthernet3/6 dropped packets due to storm control". But I need to detect flooding vlan ;)

Austin Sabio · ‎10-13-2017

Typically, storm control is a type of traffic control in layer-2 environment mainly deployed on access ports. Therefore, you have a mechanism for storm control that can take action with the shutdown mode or can be useful by identifying exact switch ports based on SNMP traps. Keep in mind, storm control needs to be placed closest to the suspected source and placing storm control on trunk defeat this purpose..

Router# show top counters interface report 1
Started By        : console
Start Time        : 08:18:25 UTC Tue Nov 23 2004
End Time          : 08:19:42 UTC Tue Nov 23 2004
Port Type         : All
Sort By           : util
Interval          : 76 seconds
Port    Band  Util Bytes       Packets     Broadcast  Multicast  In-  Buf-
        width      (Tx + Rx)   (Tx + Rx)   (Tx + Rx)  (Tx + Rx)  err  ovflw
------- ----- ---- ----------- ----------- ---------- ---------- ---- -----
Fa2/5   100   50   726047564   11344488    11344487   1          0    0   
Fa2/48  100   35   508018905   7937789     0          43         0    0   
Fa2/46  100   25   362860697   5669693     0          43         0    0   
Fa2/47  100   22   323852889   4762539     4762495    43         0    0   
Fa2/6   100   15   217815835   3403372     0          39         21   0   
Fa2/44  100   10   145146009   2267900     0          43         0    0   
Gi4/15  1000  0    0           0           0          0          0    0   
Gi4/14  1000  0    0           0           0          0          0    0   
Gi4/13  1000  0    0           0           0          0          0    0   
Gi4/12  1000  0    0           0           0          0          0    0   
Gi4/11  1000  0    0           0           0          0          0    0   
Gi4/10  1000  0    0           0           0          0          0    0   
Gi4/9   1000  0    0           0           0          0          0    0   
Gi4/8   1000  0    776         2           0          2          0    0   
Gi4/7   1000  0    0           0           0          0          0    0   
Gi4/6   1000  0    0           0           0          0          0    0   
Gi4/5   1000  0    0           0           0          0          0    0   
Gi4/4   1000  0    0           0           0          0          0    0   
Gi4/3   1000  0    776         2           0          2          0    0   
Gi4/2   1000  0    0           0           0          0          0    0

Switch# show interfaces counters storm-control
 Port Broadcast Multicast Level TotalSuppressedPackets
 Fa2/1 Enabled Disabled 10.00% 46516510
 Gi3/1 Enabled Enabled 50.00% 0
 Switch# show storm-control
 Interface Filter State Broadcast Multicast Level
 --------- ------------- --------- --------- -----
 Fa2/1 Blocking Enabled Disabled 10.00% 
 Gi3/1 Link Down Enabled Enabled 50.00%

However, in the case of how to detect flooding vlan, bascially you are asking how to monitor vlan's traffic then go with SVI monitorting using MRT or PRTG.

I hope this helps and good luck! Please don't forget to mark correct and helpful answers to benefit others.
-Austin

Alex M · ‎10-15-2017

Thank you very mutch for "top report" command. I didn't know about it before. Unfortunately, it can be used for physical interfaces only. I'm going to write a script which will get information about vlans via SNMP and show me report :)

Thank you very mutch!