Broadcast Limiting

29 views
Skip to first unread message

Craig Knights

unread,
May 22, 2018, 10:11:43 PM5/22/18
to techies-f...@googlegroups.com
Hi all, I'm trying to limit broadcast (and multicast) traffic passing from one building to another through the core switch.  Our Ruckus AP's are struggling with the ~200 per second multicast and 70 per second broadcast.  Yes we have a large flat network and 1200 wireless devices.

It seems odd how the  two worst affected AP's are the Staffroom and an obscure classroom on the other side of the school.  I've replaced that staffroom AP with a brand new one, no change, and tried to limit the broadcasts directly on the building switches (they're AT-8000GS)

I am planning to segment the network with VLAN's, possibly per building, but need something sooner than that.

I've got PRTG monitoring the ports on the core (screenshot attached),  that port goes to one of our bigger buildings.

I've limited all ports using the CLI on the core switch to 100kB/s (Our SNUP AT-9924ts), but it seems to not be doing anything.  It's an AlliedWare but not AlliedWare+ switch.

PRTG measures the traffic in packets/s and the switch in kB/s, I've used an average packet size of 576bytes/packet so 100kB/s is around 174 packets/s.

I issued two commands on the switch

set switch port=all bclimit=100
and
enable switch mclimiting

do I need to follow up with another command to make those stick?

Please feel free to start with the VLAN / subnet / whatever advice as I'm getting close to making a call to get some outside help up here...  as much as I don't want to.


thanks,
Craig

Screen Shot 2018-05-23 at 1.51.14 PM.png

Alistair Baird

unread,
May 22, 2018, 10:16:37 PM5/22/18
to techies-f...@googlegroups.com
Those multicast packets aren't windows 10 updates are they ? I don;t use Win10 here, but the though just occurred to me. There's also a filter in Ruckus WLAN advanced configuration to drop MC packets.


--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Alistair Baird
IT Manager
St Peters College 
p 06 354 4198
m 021 482 937

Craig Knights

unread,
May 22, 2018, 10:18:25 PM5/22/18
to techies-f...@googlegroups.com
No they're mostly Bonjour.  We're mostly a Apple kinda place.

Our Ruckus controller is a little odd, as it's a vSZ not a ZD

ta
CJK

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Alistair Baird
IT Manager
St Peters College 
p 06 354 4198
m 021 482 937

Craig Knights

unread,
May 22, 2018, 11:19:34 PM5/22/18
to techies-f...@googlegroups.com

Manager 0387-AG1-9924TS> show switch port=106


 Switch Port Information

---------------------------------------------------------------------------

 Port .......................... 106

   Description ................... LG1 ELC

   Status ........................ ENABLED

   Link State .................... Up

   UpTime ........................ 75 days, 05:25:55

   Port Media Type ............... ETHERNET CSMACD

   Configured speed/duplex ....... Autonegotiate

   Actual speed/duplex ........... 1000 Mbps, full duplex

   MDI Configuration (Polarity) .. Not applicable

   Loopback ...................... Off

   Configured master/slave mode .. Not applicable

   Actual master/slave mode ...... Not applicable

   Acceptable Frames Type ........ Admit All Frames

   Disabled Egress Queues ........ -

   BCast & MCast rate limit ...... 100 kbytes/sec

   BCSC rate Limiting ............ Broadcast and Multicast enabled

   Egress rate limit ............. -

   Learn limit ................... -

   Intrusion action .............. Discard

   Current learned, lock state ... -, not locked

   Address learn thrash status ... Not Detected

   Address learn thrash action ... Learn Disable

   Address learn thrash timeout .. 1 second

   VLAN Status Trap .............. OFF

   Relearn ....................... OFF

   Mirroring ..................... Disabled

   Is this port mirror port ...... No

   Enabled flow control(s) ....... -

   VLAN(s) ....................... default (1)

   Ingress Filtering ............. Off

   Trunk Group ................... -

   STP ........................... default

   IGMP Filter ................... None

   Max-groups/Joined ............. Undefined/3

   IGMP Max-groups Action ........ Deny

   Trap Arp To CPU................ DISABLED


   SFP vendor name ............... ATI             

   SFP part number ............... AT-SPSX         

   SFP vendor SN ................. A03240R110600991

   SFP date code ................. 11020701

   SFP type ...................... 1000BASE-SX

   SFP length .................... -

   SFP wavelength ................ 850nm

---------------------------------------------------------------------------


Manager 0387-AG1-9924TS> 


Andrew Godfrey

unread,
May 22, 2018, 11:31:11 PM5/22/18
to techies-f...@googlegroups.com
Have you got a GUI for the vSZ? Here are 2 settings I've added to our ZD to quieten down those noisy BYOD VLANs. The first one being what Alistair was referring to.









Andrew Godfrey  |  Network Manager


Craig Knights

unread,
May 22, 2018, 11:43:25 PM5/22/18
to techies-f...@googlegroups.com

Have you got a GUI for the vSZ? Here are 2 settings I've added to our ZD to quieten down those noisy BYOD VLANs. The first one being what Alistair was referring to.

Yes there is a GUI, but it's quite different.  The mc filter tickbox is not there.  The client isolation is there, but it works quite differently.  It automatically figures out the default gateway and allows traffic to only that.  It seems quite dumbed down.

For the student SSIDs I have used "Traffic Access Control Lists"

Blocked their access to the entire IP range, then allowed certain server IP's, the gateway, the DNS port, DHCP port.

I think I can put block rules in there for the IPs used in mDNS,  however some of the broadcasts are also IPV6 and Ruckus doesn't do IPV6 at all.

thanks,
Craig

Andrew Godfrey

unread,
May 23, 2018, 12:46:38 AM5/23/18
to techies-f...@googlegroups.com
I've just read your first email again and hadn't realised you have a flat LAN.

Might you be able to quickly just VLAN off your student devices?

Have you used wireshark to indentify the most common culprits?



Andrew Godfrey  |  Network Manager



Craig Knights

unread,
May 23, 2018, 1:40:03 AM5/23/18
to techies-f...@googlegroups.com
But if I have all vlans and ssids present on all aps won't the total broadcasts seen at each ap be the same?  Torqueip who do the snup help have doubts it is the packets. But we'll see...

I'm going to work on limits on broadcast in ruckus...  printing I'll work on getting away from mdns and onto regular dns as Papercut recommend.  

Cheers
Craig




 






To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Alistair Baird
IT Manager
St Peters College 
p 06 354 4198
m 021 482 937

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

Pete Mundy

unread,
May 23, 2018, 2:08:23 AM5/23/18
to techies-f...@googlegroups.com

Assuming at least one wireless client is associated with each ESSID on every radio at the time, then yep! So don't do it that way.

Instead have separate student VLANs in the separate locations. You can still allow those different student VLANs to route to each other at layer III via the core (if you want them to), but you effectively restrict the broadcast domain to only the radios within the building (assuming you restrict the radios to only broadcasting ESSIDs for the VLANs used in that building).

It doesn't avoid the pain of implementing the VLANs, but it'll be worth it in the medium and long term (imo:)

Pete
signature.asc

Graeme Lee

unread,
May 23, 2018, 3:39:05 AM5/23/18
to techies-f...@googlegroups.com
Hi Craig, were all your 8000GS switches replaced when you were SNUP’d? They are not enterprise switches and could cause problems if the chipset fan seizes. Has happened to me... Otherwise interference given only two AP’s causing problems? No other wireless routers (unmanaged) running in the school? Wireless profiles the same as other AP’s? We are vlan’d but also have a large student vlan. I use Kiwi syslog server and my AP’s send their logs to it... I have turned the 2.4GHz radios off on a few AP’s...

Graeme

Sent from my iPhone

Craig Knights

unread,
May 23, 2018, 3:59:52 AM5/23/18
to techies-f...@googlegroups.com
No, they came to us in the first SNUP, we were done quite early.  The warranties were extended when were WSNUP'ed last year.  We have had noisy fans in 8000GS switches in the past but I just took them out of service as we had WAY to many ports and spare 8000GS switches.

I think you may be on to something...  when we were WSNUP'ed last year the nice Ubiquiti 24port POE switch I was using was removed, a big AT POE midspan inserted and the data routed through the existing 8000GS.   I'm going to move them first thing tomorrow to the 9924ts core as it has enough spare...   Similar story could apply in the Library building where the other painful AP is...

The timing fits too..

hmmmmm, many thanks!
Craig


> To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages