ARP broadcast storm: Information and Effects
Applies to
- ONTAP 9
- Clustered Data ONTAP
Description
What is the following event reported on /mroot/etc/log/ems
and what can be the impact?
Example:
"[XXXXXX: NwkThd_0X netif.rateLimitThreshold:error]: High rate limit on the network interface e0* for broadcast protocol ARP is detected"
Answer
- This message is an indication of an incoming ARP broadcast storm.
- It is generated from a process that monitors the inflow and indicates us in case of any unusual events.
- The interface received a very high number (>5000 in this case) of ARP broadcast packets in the last second of monitoring.
- The system also follows a discarded window of half a second (500 ms) just after this to cool off a bit.
- Note: This message occurs when the protocol rate threshold is reached on a network interface.
- Corrective Action:
- Fix the faulty network configuration or incorrect setup that enables a sudden spike in broadcast packets to bring down the node.
Additional Information
- Historically, these kinds of storms are generated due to network mis-configuration like a loop or a misbehaving network device.
- Check for any such activities around the same time-frame on the devices that are connected to the same broadcast domain of those ports.
- In some situations, these ARP storms can lead the system to be unresponsive or eventually to disruption as they can exhaust the network resources.
- Capturing a packet trace on the concerned interface can be helpful to pinpoint the device causing the large amount of ARP broadcast packets
- How to capture packet traces on ONTAP 9.10+ systems