topic Re: possiblity of broadcast storm loop between L3 interface and L2 interface in ICX Switches

possiblity of broadcast storm loop between L3 interface and L2 interface

ys — Thu, 21 Mar 2024 02:18:38 GMT

Recently I faced network outage due to a lot of packet storm.
I did not identify it was due to broadcast or not. but I would like to know possibility.

I have L3 link and L2 trunk link from switch-A (ICX7750) to switch-B (ICX7450) with config below.
In case of happening broadcast from vlan 1 accidentally, any possibility to broadcast storm loop on vlan 1?
Also possibility to forward these broadcast packets to eth1/1/3 connecting to different switch?

Because route-only L3 interface is still a member of vlan1 by default on ruckus switches.

---
!
! SWITCH-A
!

vlan 1 name DEFAULT-VLAN by port
!
vlan 3000 name LAB by port
tagged ethe 1/1/2
router-interface ve 3000
spanning-tree 802-1w
spanning-tree 802-1w priority 0
loop-detection
!

int e 1/1/1
port-name To-SWITCH-B_L3
route-only
ip address xxx.xxx.xxx.xxx/31
!

int e 1/1/2
port-name To-SWITCH-B_L2
!

int e 1/1/3
port-name To-SWITCH-ZZZ_L3
route-only
ip address zzz.zzz.zzz.zzz/31
!

---
!
! SWITCH-B
!

vlan 1 name DEFAULT-VLAN by port
!
vlan 3000 name LAB by port
tagged ethe 1/1/2
untagged ethe 1/1/9 to 1/1/10
spanning-tree 802-1w
loop-detection
!

int e 1/1/1
port-name To-SWITCH-A_L3
route-only
ip address xxx.xxx.xxx.yyy/31
!

int e 1/1/2
port-name To-SWITCH-A_L2
!

int e 1/1/9
port-name User Port
!
int e 1/1/10
port-name User Port
!

Re: possiblity of broadcast storm loop between L3 interface and L2 interface

jdryan — Thu, 21 Mar 2024 12:59:41 GMT

Hi ys,

From the details shared, the L3 interfaces, although set as access to VLAN 1, should be forming separate individual point-to-point networks as the subnet is /31 with 2 end points.
And broadcasts would not be routed over, as they are limited to the subnet.

However, for the possibility of the storm happening, I would suggest checking the L2 connections that are part of the network. Over the L2 connections, the broadcasts / pachet storms can be seen transmigrating through as they are used to extend a vlan.

If possible, use LLDP and network topology to check and trace the connections to find if any loops may have formed on the device.

Commands :
Show lldp neigbhor
Show lldp neigbhor detail port ethernet < port number > <<<<< enter the port number that you are finding suspicious.

In addition, storms can happen if in case any device is broadcasting a lot of data / frames :
Use :
show statistics ( to check on the port that has higher transmission )
show interface < port number > [ to check on the narrowed down port.

in case the counters have historical data on them. clear the counters and check them once more to get an accurate readout.

Hope the details help.

Re: possiblity of broadcast storm loop between L3 interface and L2 interface

ys — Fri, 22 Mar 2024 06:32:36 GMT

Thank you for advice, jdryan.

As I checked more detail, I found "route-only" was NOT configured on eth1/1/1, SWITCH-B.

!
! SWITCH-B
!

int e 1/1/1
port-name To-SWITCH-A_L3
ip address xxx.xxx.xxx.yyy/31
!

In this case, any possibility to broadcast storm on VLAN 1? (not VLAN 3000)
I guess this "eth1/1/1 on SWITCH-B" still has the ability of receiving broadcast packets and forward it to other interface like eth1/1/2.

As per document, "route-only" supports only ingress L2 traffic suppression on a route-only port on ICX 7750, ICX 7450, ICX 7250, and ICX 7150 devices.
Looks like it is slightly different from "no switchport" on Cisco..
https://docs.commscope.com/bundle/fastiron-08090-commandref/resource/fastiron-08090-commandref.pdf

Re: possiblity of broadcast storm loop between L3 interface and L2 interface

jdryan — Fri, 22 Mar 2024 11:11:53 GMT

Hi ys,

Here, the ingress would come from switch A port :
int e 1/1/1
port-name To-SWITCH-B_L3
route-only
ip address xxx.xxx.xxx.xxx/31

As there is route-only specifed there on the port same should work as an L3 interface and not forward L2 frames.

As Switch B :
int e 1/1/1
port-name To-SWITCH-A_L3
ip address xxx.xxx.xxx.xxx/31

is being used as an L3 interface : would suggest that route-only command be impletmented there.

Its recommended for route-only to be in place for L3 interfaces [ ports configured as L3 interfaces],
As ingress L2 suppression feature, should be able to help supress broadcasts, in an event any are transmitted over that link.

As per the set up done, over the L3 link between SW A and SW B : L2 traffic should not be seen.

With respect to : no switchport : by cisco, I may not be able to comment on that.

Let me know if the details help.