Solved

How to gauge if broadcast traffic is a problem due to subnet size?

Posted on 2014-11-14
8
166 Views
Last Modified: 2014-12-09
So I took over a network recently where they using a very large subnet (10.4.0.0/16).  Of course a subnet can never be that large, but I didn't change it as they had a lot of servers and other devices in production and didn't want to change subnets.  They are now using about 350 IP Addresses from this subnet.  Infrastructure is Completely Cisco.  All switches are Cisco 3560G's.  What is a safe number to grow this subnet before I should start another VLAN?
0
Comment
Question by:denver218
  • 4
  • 3
8 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40442531
Same subject here.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40442534
The general rule of thumb is 20%.  That is, when broadcast traffic exceeds 20% of the total traffic, that's when you want to start looking at breaking up the network.

The first step is making sure you check the traffic during normal traffic. If you look at it in the middle of the night, you'll probably be way over 20% since there's not as much unicast traffic.

Because it's based on total traffic, switches can make this a bit of a challenge.  So what I like to do is check the interface statistics on trunks that see the most traffic.  Clear the counters first and then wait an hour.  Do a "show interface" on the trunks, divide total traffic by broadcast and you've got your number.  I like to check this at various times during the day over multiple days.
0
 
LVL 4

Author Comment

by:denver218
ID: 40442819
So what number do I divide by the number of broadcasts:

GigabitEthernet1/0/4 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 001b.d511.8d04 (bia 001b.d511.8d04)
  Description: TOP_3560G-48
  MTU 1530 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 3/255, rxload 4/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:19, output hang never
  Last clearing of "show interface" counters 00:15:56
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 15988000 bits/sec, 6113 packets/sec
  5 minute output rate 15661000 bits/sec, 5672 packets/sec
     6417526 packets input, 2451754699 bytes, 0 no buffer
     Received 427839 broadcasts (280131 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 280131 multicast, 0 pause input
     0 input packets with dribble condition detected
     5993425 packets output, 2412545171 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40442844
6417526 packets input, 2451754699 bytes, 0 no buffer
     Received 427839 broadcasts (280131 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 280131 multicast, 0 pause input
     0 input packets with dribble condition detected

So in 15 minutes, you've received 6,417,526 packets of which 427,839 were broadcast. This puts the broadcast received on this port at 6%.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 4

Author Comment

by:denver218
ID: 40442892
Thanks.  If I divide 6417526/427839 that equals 14.99.   How did you get 6%?  I must be missing something.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40442908
427839/6417526=.06
0
 
LVL 4

Author Comment

by:denver218
ID: 40442952
Ok, thanks.  So its broadcasts/packets input.  

So if I did another trunk port:

 1668527 packets input, 376258519 bytes, 0 no buffer
     Received 620 broadcasts (615 multicasts)

It would be 620/1668527 which would equal approximately 3.72% broadcast traffic right?
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40488695
Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now