Switch acts like a hub

Unanswered Question
Aug 15th, 2007
User Badges:

Hi


I have a switched network here, with 10 - 12 switches, now there seems like one or two are acting like hubs, because I can se alot of traffic.


What can be reasons for this ? overload ? and is there some way i could check the switch, so i could determine the switch that is acting like the hub ?


Br

Tuva



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
guruprasadr Wed, 08/15/2007 - 23:54
User Badges:
  • Gold, 750 points or more

HI Tuva,


HUBs will just Broadcast the Packet Information over all Ports whereas Switches will maintain the CAM Table (Content Addressable Memory) lookups to track the source address located in the each Switch Port.


CAM Table is Dynamic Nature and it contains the list of MAC-address of the Devices connected to the Switch Port and its associated VLAN Information.


INFO: You can verify the CAM Table contents if any.


PLS RATE if HELPS


Best Regards,


Guru Prasad R

tuva02100 Thu, 08/16/2007 - 00:08
User Badges:

Thanks, im not quite sure if i understand...

if the cam table looks normal - it doesnt act like a hub ?


here is some output i got :



VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]

---- ------------------ ----- -------------------------------------------

1 00-13-60-53-36-bf # 1/9

1 01-00-0c-cc-cc-cc # 1/9

1 01-00-0c-cc-cc-cd # 1/9

1 01-00-0c-ee-ee-ee # 1/9

1 01-80-c2-00-00-00 # 1/9

1 01-80-c2-00-00-01 # 1/9

2 01-00-0c-cc-cc-cc # 1/9

2 01-00-0c-cc-cc-cd # 1/9

2 01-80-c2-00-00-00 # 1/9

2 01-80-c2-00-00-01 # 1/9

10 01-00-0c-cc-cc-cc # 1/9

10 01-00-0c-cc-cc-cd # 1/9

10 01-80-c2-00-00-00 # 1/9

10 01-80-c2-00-00-01 # 1/9

20 01-00-0c-cc-cc-cc # 1/9




This is from a cat-os switch, i cant seem to find a : '"sh cam table", just "sh cam system"


Br

Tuva

Jon Marshall Thu, 08/16/2007 - 00:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tuva


Could you post the output of a


"sh cam dynamic"


Jon

Jon Marshall Thu, 08/16/2007 - 00:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Tuva


It depends on how much broadcast/multicast traffic you have in your network. A switch will map ports to mac-addresses and if it knows which port the destination mac-address is found on it will only forward the traffic out on that port.


Hubs on the other hand send a copy of the packet out of all ports except the one it was received on.


However if the switch does not have a port to mac-address mapping then it will flood the packet out of all ports except the one it was received on. This will happen with broadcast, potentially multicast and unknown unicast traffic.


HTH


Jon

tuva02100 Thu, 08/16/2007 - 00:21
User Badges:

yes, the strange thing is, when i capture traffic from the switch, i can se the traffic that does not "belong" to me. I can see the broadcast, and spt-prot packets, but also tha traffic to other hosts, and i shouldnt i be able to see that ? .. so im note sure what is the problem, but it looks like a "leak" .. I isuues the "sh cam dyn"



VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]

---- ------------------ ----- -------------------------------------------

1 00-00-74-9b-79-25 2/46 [ALL]

1 00-01-6c-ea-2f-95 2/49 [ALL]

1 00-02-44-87-22-b4 2/49 [ALL]

1 00-02-54-00-da-55 2/37 [ALL]

1 00-07-50-36-69-00 2/49 [ALL]

1 00-07-eb-c8-37-c0 2/49 [ALL]

1 00-08-02-f7-ec-f7 2/49 [ALL]

1 00-0a-e4-2d-fd-13 2/49 [ALL]

1 00-0a-e4-c1-7f-b3 2/49 [ALL]

1 00-0b-82-08-77-06 2/48 [ALL]

1 00-0b-86-60-04-10 2/16 [ALL]

1 00-0c-29-45-21-53 2/49 [ALL]

1 00-0c-29-56-09-3c 2/49 [ALL]

1 00-0c-29-66-6d-ac 2/49 [ALL]

1 00-0c-29-81-54-58 2/49 [ALL]

1 00-0c-29-82-f2-74 2/49 [ALL]

1 00-0c-29-8c-fa-aa 2/49 [ALL]

1 00-0c-29-b1-68-e8 2/49 [ALL]

1 00-0c-29-b6-16-da 2/49 [ALL]

1 00-0c-29-df-52-19 2/49 [ALL]

1 00-0c-29-e6-c8-a3 2/49 [ALL]

1 00-0c-29-f9-b7-f9 2/49 [ALL]



( thanks for helping me )


br

Tuva

Jon Marshall Thu, 08/16/2007 - 00:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tuva


What is attached to port 2/49 - is it another switch ?


You will see some unicast traffic if the switch does not have a mapping for the mac-address ie.


if traffic is being sent to client 192.168.10.5 and you know that is on port 2/20 on your switch. You capture traffic off port 2/30 and see some traffic destined for 192.168.10.5.


You might see the intial packet because the switch does not have a mac-address mapping to port 2/20 for this client. However you should not be seeing most of the conversation as the switch should update it's mac-address table and only send the packets out of port 2/20 after that.


The other thing that can happen is that the switch can run out of mac-address entries ie. it is full up and then it's only choice is to flood all packets.


HTH


Jon

guruprasadr Thu, 08/16/2007 - 00:51
User Badges:
  • Gold, 750 points or more

HI Tuva,


Your MAC Table / CAM Table is flooded. Can you try by clearing the MAC Address Table and CAM Table.


pls rate if Helps


Best Regards,


Guru Prasad R

tuva02100 Thu, 08/16/2007 - 00:53
User Badges:



yes, it the other vtp -server switch attached to this port, it's a trunk.


so it could be a overload problem ?


I connected to this switch and used wireshark to capture some traffic, then I could se many of the sip traffic, that goes on several adapters, and I can see alot of tcp traffic, that does not belong to my "port" ... and to several other ip's.




im not so used to be on a cat-os switch either :) .. but the other switches we have are regular 2950's


Could there be when there are alot of switches, and they are just put there without any config on the ports, that they could have a "leak" or something.


Im sorry if I don't explain very well.


Br

Tuva

guruprasadr Thu, 08/16/2007 - 01:08
User Badges:
  • Gold, 750 points or more

HI Tuva,


If my understanding on your Question is NOT wrong means:


You have 2 VTP Server connected via Trunk ?


-->If so this should not be possible.

-->Whether both VTP Server Switches are in the same VTP Domain.

-->For me there should be only one VTP Server in an Environment and rest all as VTP Clients.


INFO: Can you please explain in a better manner for a clear understanding.



PLS RATE if HELPS



Best Regards,


Guru Prasad R

tuva02100 Thu, 08/16/2007 - 01:25
User Badges:

The two "main" switches are configured as vtp serer, in the same vtp domain. All the rest of the switches are clients, I must do a check if there could be any transparent here, but i don't think so.


The problem is that I can see all this traffic, that I shouldn't be able to see.


Br

Tuva



guruprasadr Thu, 08/16/2007 - 01:36
User Badges:
  • Gold, 750 points or more

HI Tuva, [PLS RATE if HELPS]


Well. Switches configured in Transparent Mode will receive the VTP Information from Server and proporgate to other VTP Clients in the same domain. (INFO:Switches in Transparent Mode will not keep / store the VTP Information received from Server).


Switches in Transparent Mode will not advertise its own VLAN and other Information to the VTP Domain (Servers and Clients).


I Hope you are seeing such traffic inside the Switch configured as VTP Tranparent whereas this operational mode will be like a HUB broadcasting the Information (ie., Transparent Mode propagation the VTP Info received from Server to the Clients in the same Domain).


INFO: In Transparent Mode Switches also you can see all the VTP Traffic propagation. For a reason donot connect any VTP Clients behind the VTP Transparent Switches.


Hope i am Informative.


DO RATE ALL HELPFUL REPLIES / POSTS


Best Regards,


Guru Prasad R

tuva02100 Thu, 08/16/2007 - 01:47
User Badges:

yes, im aware of that., but then they will only broadcast the vtp - information.


My problem is that I can se very much traffic that are destined to other hosts, and sipura adapters. so When i capture traficc with wireshark, I can see sip, tcp, udp traffic to other hosts. And im trying to find out why this is happening. They are all in the same vlan, in a few cases we saw traffic from another vlan, but we figured that one out, So when i captured traffic now, i only see traffic within the same vlan,


But i shouldn't see that traffic...


On some of the switches, i have seen that there are no configuration on the ports. But again, then all should go into vlan 1 , but could that create this scenario, with mee seeing so much traffic ?


(thanks for your patience)



Br

Tuva

guruprasadr Thu, 08/16/2007 - 02:15
User Badges:
  • Gold, 750 points or more

HI Tuva,


If in the same VLAN means then ofcourse there will be some traffic.


I can't able to judge the right answer for your problem. Neverthless you can use some ACL to Block the traffic.


If there is no configuration on the ports means it will be in default vlan (may be vlan1). Do you see the traffic on the ports where there is no configuration exists ie., interface is in down state.


Do you have some routing protocol enabled on this network may be some routing protocol updates even.


DO RATE ALL HELPFUL POSTS.


Best Regards,


Guru Prasad R

tuva02100 Thu, 08/16/2007 - 03:30
User Badges:

Hi again Prasad,


I'm not 100% sure you see what our problem is..


but, to try to explain it somewhat more.


Our network looks something like:


sw1 -> sw2

sw1 -> sw3

sw1 -> sw4 -> sw5

sw4 -> sw6

sw4 -> sw7

sw1 -> sw8

etc..


We see traffic on both sw7 and on sw 2 wich is ment for sw5 for insanse.. OR traffic ment for sw 1, on sw 4.


This can not be a routing problem, due to that there is no routing on our internal net (it's a /23 net with only one gw (cisco pix))


And, solveing this with ACL's will not help either, since the traffic you see here is often parts of TCP sessions wich is working (for instance jabber traffic.. suddenly you see one of the tcp packets for a message)


I also doubt it is due to overload of any of the switches, since the network is as small as it is.


Thanks again,


Tuva




mheusing Thu, 08/16/2007 - 04:01
User Badges:
  • Cisco Employee,

Hi Tuva,


There can be several reasons for a switch to show the behaviour.

1) Asymmetric routing

2) Spanning tree related problems

3) Full CAM table

VTP should not be the reason for it. As a side note: you can have as many VTP servers as you want in a VTP domain and I would even recommend to have at least two, in case one of them goes down.

Back to your issues: can you please follow the troubleshooting instructions in "Unicast Flooding in Switched Campus Networks"

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

This might already solve your issues or help you understand, why it happens.


Hope this helps! Please rate all posts.


Regards, Martin

tuva02100 Thu, 08/16/2007 - 04:45
User Badges:

Hi Martin



thank you, i'll read it and follow it, and see if i can figure it out. :)


Br

-Tuva

Actions

This Discussion