Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

ARP broadcast storm: Information and Effects

Views:
521
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
network
Last Updated:

Applies to

  • ONTAP 9 
  • Clustered Data ONTAP

Description 

What is the following event reported on /mroot/etc/log/ems and what can be the impact?

Example:

"[XXXXXX: NwkThd_0X netif.rateLimitThreshold:error]: High rate limit on the network interface e0* for broadcast protocol ARP is detected"

Answer

  • This message is an indication of an incoming ARP broadcast storm.
    • It is generated from a process that monitors the inflow and indicates us in case of any unusual events.
    • The interface received a very high number (>5000 in this case) of ARP broadcast packets in the last second of monitoring.
    • The system also follows a discarded window of half a second (500 ms) just after this to cool off a bit.

Note: This message occurs when the protocol rate threshold is reached on a network interface.

Corrective Action:

  • Fix the faulty network configuration or incorrect setup that enables a sudden spike in broadcast packets to bring down the node.
  • The threshold can be modified by using the "bootarg.arp.ratelimit.threshold" boot argument.

Additional Information

  • Historically, these kinds of storms are generated due to network mis-configuration like a loop or a misbehaving network device.
  • Check for any such activities around the same time-frame on the devices that are connected to the same broadcast domain of those ports.
  • In some situations, these ARP storms can lead the system to be unresponsive or eventually to disruption as they can exhaust the network resources.

 

Scan to view the article on your device