How to control network flooding?

How to control network flooding?

Unicast, multicast, or broadcast traffic are building blocks of today Ethernet networks. Unicast is used when two network nodes need to talk to each other, thus in this case there is just one sender, and one receiver. It is the predominant form of transmission on LANs, with applications like http, smtp, ftp and telnet which service the TCP transport protocol. 

When we need to have more than two nodes for communication, Broadcast and Multicast becomes viable options depending on the traffic flow and application type.

Broadcast: Broadcast traffic refers to one Ethernet device sending a message to all other devices on the network. If all of the nodes are on the same subnet, and then broadcast becomes a viable solution. All nodes on the subnet will see all traffic. There is no TCP-like connection state maintained. Broadcast is a layer 2 feature in the Ethernet protocol, and also a layer 3 feature in IPv4.

Some of the Broadcast examples are ARP & NTP.  ARP is used to determine how to send traffic to other nodes on the network. If the destination is on the same subnet, ARP fins out the MAC address that goes to the stated IP address. This is a Level 2 broadcast, to the reserved FF: FF: FF: FF: FF: FF MAC address. The NTP protocol allows a broadcast method for announcing time sources.

Multicast: Multicast is like a broadcast that can cross subnets, but unlike broadcast does not touch all nodes. In this case, there may be one or more senders, and the information is distributed to a set of receivers. Nodes have to subscribe to a multicast group to receive information.

Multicast protocols are usually UDP protocols, since by definition no connection-state can be maintained. Nodes transmitting data to a multicast group do not know what nodes are receiving. Where there is a common need for the same data required by a group of clients, multicast transmission may provide significant bandwidth savings. Some examples of Multicast are HP printers announcing their presence on a multicast groups, NTP protocol also allows a multicast method (IP for announcing time sources and Video Surveillance etc.


A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Excessive broadcast traffic can rob all nodes in that subnet of bandwidth, while multicast has the same attribute when one node on the multicast group starts sending huge amounts of traffic to that group, all subscribed nodes will see all of that traffic.

Main causes for Flooding:

Asymmetric Routing- Packets follow different paths depending on the direction. Large amounts of flooded traffic might saturate low-bandwidth links causing network performance issues.

STP Topology Changes- STP uses Topology notification changes (TCN) to correct forwarding tables after topology change; these are triggered by a port that transitions to or from forwarding states. But the issue might arise when TCNs are occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant.

Forwarding table Overflow- Overflow of switch forwarding table can occur by an attack on the network where one host starts generating frames each sourced with different MAC address and result in new addresses cannot be learned and packets destined to such addresses are flooded until some space becomes available in the forwarding table.

Human Errors- The most common error is when both ends of a cable are connected into two ports of the same switch.  This causes a loop back condition in which broadcast traffic can be constantly repeated throughout the network. 

Therefore to summarize when messages are broadcast on a network and each message prompts a receiving node to respond by broadcasting its own messages on the network, storms are born. This, in turn, creates a snowball effect and result as a network outage.

One can use Storm control/Flood Suppression feature which provides granular control of Broadcast, Multicast and Unicast traffic rates on a per-port basis. Therefore Storms are prevented by specifying the storm control level, of broadcast traffic, multicast traffic, and unknown unicast traffic to be allowed on an interface. This can be individual or collective control on the switch or stack.

Some of the important parameters generally used while setting up the thresholds are as following:

  • Traffic rate (Depends on Switch vendor, some uses packet per second (pps), others use Kbps
  • Polling interval
  • Action applicable
  • SNMP traps

Storm control monitors the level of incoming traffic and compares it with the level that is specified. If the combined level of the traffic exceeds the specified level, the switch has a n option to do an action - None, Drop or Shut down for the controlled traffic types to prevent the network outages. Some of the other important parameters which one should implement to limit flooding in the network are as below.

Limiting Asymmetric Flooding: Bring the router’s ARP timeout and the switches’ forwarding table-aging time close to each other. This will cause the ARP packets to be broadcast. Relearning must occur before the L2 forwarding table entry ages out. Limiting STP Topology Changes: It is advised to use STP port fast feature on switches as it will limit the TCN while ports forwarding state changes.

Limiting Overflow attacks: Such attacks can be prevented by limiting the number of MAC addresses learned on untrusted ports by using the port security feature. Rapid Spanning Tree Protocol (RSTP) can be used to help eliminate the possibility of a loop being accidentally created and a resulting broadcast storm. Provide proper training to anyone who will be installing, or maintaining, the Ethernet network. 

Add to Favorites