unexpected traffic available to sniffer on a switch

paul-d · ‎04-03-2007

Hi,

I work on a 6000 seat network where unfortunately most seats have been placed in VLAN 1 - over 2000.

Occaisionally I will etherreal a switch port and see traffic between 2 hosts which we shouldn't see in a switched network.

I am assuming that the switch has blown its L2 forwarding table and has become a hub.

Is there a command which would tell me whether this was the case?

sh mac-address-table count seems to suggest that the switch still has plenty of room left :-

Total Mac Address Space Available: 7926

Obvioulsy I am busy sub-netting the network into smaller chunks.

I beleive setting port security etc would also help, but I would just like to be sure that this table blowing is in fact what is happening

Many thanks !

situwayne · ‎04-03-2007

can you clarify....what type of traffic...is it broadcast?

"Occaisionally I will etherreal a switch port and see traffic between 2 hosts which we shouldn't see in a switched network."

paul-d · ‎04-04-2007

hi,

No it is traffic between individual hosts suggesting the switch has blown its L2 table and is acting as a hub

cheers

nyr.hakeem-habeeb · ‎04-04-2007

Hi

it could also be that the MACs have been aged out of CAM so the switch is in the process of re-learning the MACs.

Thanks

Rgds

HH

bbaillie · ‎04-04-2007

Try the command "show spanning-tree detail" and at line six of the VLAN in question, check to see how long its been since the last topology change (should be days or weeks not minutes). Likely you are seeing the results of topology changes caused by lack of "portfast" being enabled on the access ports. Or you have a link flapping somewhere in the network, causing the changes.

Cheers,

Brian

nz-ipv6 · ‎04-04-2007

Hi Paul,

There are times in the network , when you will see unicast traffic on a port where it should not be.

This could happen because of:

a) Microsoft servers running NLB

b) Unicast flooding

I would recommend to read the articles that will help you to understand it better.

http://cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1176827&SiteID=1

paul-d · ‎04-05-2007

thanks I am aware of the load balancing issue and we put those into a seperate VLAN.

Sub netting the network should lessen and then eliminate the problem.

The question was what command can I issue on a switch to determine whether it has blown its L2 forwarding table.

nyr.hakeem-habeeb · ‎04-05-2007

Hi

The sh mac-address-table count should show you the number of available MAC space available on the switch (see sample output below)

Mac Entries for Vlan 1:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Mac Entries for Vlan 100:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Mac Entries for Vlan 101:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Total Mac Address Space Available: 7453

Thanks