Hello there,

We got an outtage last week about a specific VM that was misconfigured by a vsphere user.

To summarize, we added 2 vNICs in same portgroup and used an IPS (suricata) with specific network mode (AF_PACKETS if I remmember correctly).

The result is the VM started to broadcast ARP requests on an average rate of 700k packets per second.

All this data was broadcasted to our secondary site, thus killing every active network switches on the way.

We had hard time to locate the source of this problem because the network bandwitdh generated was pretty low : about 100MBps. But 700k pps …

I didnt find anything in NSX (we don’t have NSX, but I was assuming this would be the best candidate to do that) or in  vDS that would help me prevent this : a network packets per second alarm / limit.

Any ideas ?

Thanks

Attached a network capture at the physical NIC level of the ESXi hosting the virtual machine. Note that 39:dd and 96:fe are both the mac address of the two vNIC of this VM.