Figure 1. A Broadcast Storm - occurs when spanning tree is not invoked in Ethernet switches that are connected in a circular manner. Unknown unicast and broadcast packets endlessly loop causing the hardware to become overwhelmed.
Figure 2. Normal Operation - IEEE 802.1d, 802.1s or 802.1w Spanning Tree is used to prevent loops on Ethernet networks. Spanning tree blocks one interface hence eliminating loops and the possibility of broadcast storms.
What is a Broadcast Storm?

A broadcast storm is a description of frame flooding behaviour that occurs under specialized conditions in an Ethernet network. During a broadcast storm Ethernet frames are caught in an endless loop and continue to be retransmitted until the network switch is overwhelmed or the loop is terminated.

The broadcast of unknown unicast and/or broadcast frames to all switchports is part of normal brisging operations as defined by the IEEE 802.1d standard. However, this operation is intended to work in a physical and logical loop free environment. The spanning tree protocol ensures that this occurs but occasionally this protocol is switched off or configured in such a way that it is unable to operate correctly. When an ethernet network finds Spanning tree missing or disabled and with a physical loop created by the cabling configuration a broadcast storm will occur.

Note: Ethernet frames do not have a TTL (time to live) field, the frames have no way of timing out and are therefore retransmitted over and over in an endless loop known as a broadcast storm. As more and more packets are caught in the loop the switch becomes overwhelmed with the amount of traffic and may eventually crash or reboot.

After several experiments with broadcast storms we noted that the faster the switch the faster that the storm will take down the network.

Background knowledge

An Ethernet switch will remember the port in which it first heard a particular MAC address. This functionality distinguishes switches from hubs, where a hub must broadcast packets out of every port,

A switch can intelligently send a packet to the port where the destination device is attached. There are two circumstances, however, where a switch must broadcast packets to every port, and it is this (required) functionality that is at the center of broadcast storms.

  • The first circumstance is when the switch has not yet learned the physical location of a destination MAC address. In that instance the switch will broadcast the frame to every port.

  • Another instance where a switch broadcasts frames to every port is when it receives a special packet known as a broadcast packet. Broadcast packets are retransmitted out of every port by design. They are normally used to discover other network devices or services on the same segment.

Whilst both of these functions have been built in by design, they are both at the center of broadcast storm traffic. They are the fuel for the storm, but they are not the cause.

The Storm

When broadcasts packets (created by either of the aforementioned circumstances) are caught in a loop (see Figure 1.), packets are sent endlessly from one switch to another causing the switch to overload and eventually fail.
Figure 3. Normal Operation - Physically disconnecting ports also prevents broadcast storms as there is no physical loop in the network.

The Extent (reach) of the Storm

Every switch that has ports in the same VLAN as the source VLAN of the broadcast storm will be affected. This is because broadcast packets are designed to be transmitted to every port in the VLAN. Whether switches are connected together by access ports or by trunk ports (802.1q) is irrelevant, so long as broadcast packets can be transmitted on the port then the switch is vulnerable.

What causes Broadcast Storms?

Ethernet switches are designed under the assumption that there will never be a circular loop connecting them together. Whilst you are permitted to physically connect switches in a loop you will find that under normal operation a protocol known as spanning tree (IEEE 802.1d 802.1s or 802.1w) will block every port that completes the loop. In other words, under normal circumstances there will not be a logical loop anywhere on an Ethernet network, regardless of how the network is physically wired.

With this in mind, you could say that a broadcast storm is the absence of spanning tree. For one reason or another either spanning tree is turned off or the BPDUs used by spanning tree in order to gauge the topology of the network are being filtered somewhere on the network.

Safeguarding the Network

The safeguard against loops on switches is the use of the spanning tree protocol IEEE 802.1d, IEEE802.1s or IEEE802.1w. In other words, if you are experiencing a broadcast storm then you should look to see what is preventing the spanning tree BPDUs from detecting and preventing the loop.

Spanning tree ensures that if there is any wiring that is connected in a circular manner that transmission it will stop one of those ports hence eliminating the loop. (See Figure 2.) Many people blame spanning tree for broadcast storms but in fact it is the absence of spanning tree that causes the broadcast storm.

Another way of preventing storms is to ensure that there are no switches with physical dual connections to the network. This is generally not desirable, however, as dual connections are often used as redundant paths in the event that one link fails.

What damage can a Broadcast Storm Cause?

A broadcast storm will become progressively more severe because packets continue to loop around endlessly without reaching their destination. They are soon joined by new broadcasts which also get stuck in the loop. Eventually the switch will become overwhelmed with traffic and either crash or reboot. Switches can become so overloaded during a storm that any form of management becomes impossible. In this case, one should find the offending cable or device that is causing a physical loop and unplug it or switch it off.

How quickly do Broadcast Storms form?

I have done a few experiments with broadcast storms and have found that small low end switches can take one or two minutes before performance is severely affected after the storm starts. The time taken seems to vary between models.

The large high end switches were affected almost instantly. Their incredible speed and brute forwarding power worked against them in this instance.

Related Site Information

Networks
What is a network
What is a router
Switch QOS


Facts About Broadcasts

Broadcast are logically defined as an IP (Layer 3) packet and physically transmitted using a special Ethernet (Layer 2) address.
When an IP Broadcast packet is sent via the special IP address 255.255.255.255, the corresponding Ethernet address is FFFF:FFFF:FFFF

There are two types of Broadcasts.

  • Limited broadcast: IP 255.255.255.255
  • Directed broadcast: IP <network>.<broadcast IP>. For example in the network 192.168.1.0/24 the directed broadcast is 192.168.1.255. a directed broadcast is useful when a broadcast packet needs to be transmitted outside of the subnet. Although historically many directed broadcasts were ill intended the recent increased adoption of technologies like WOL (Wake on LAN) have found legitimate uses for the technology.

IP Version 6 does have or not use broadcasts. They have been replaced by the use of link local addresses and multicasts.
Share |
Custom Search
IT Pathways - The IT Careers Encyclopedia
Menu filter