Leaky VLAN

s-mahler · ‎09-19-2007

I have several vlans, lets call them isolated vlans, that are assigned to switchports over several switches. The switches are tied together with 1Q trunks. The isolated vlans do not have router interfaces (SVIs) associated with them.

I also have several "regular vlans" complete with router interfaces.

It appears that some traffic is leaking from the regular vlans to the isolated vlans. It appears to be mainly broadcast traffic.

Should there be *ANY* way that traffic from another vlan can leak into an isolated vlan?

ankbhasi · ‎09-19-2007

Hi Mahler,

The only way I can think of is if someone will hook a cross cable in loop fashion between the 2 ports configured for those vlans this situation may arise.

Regards,

Ankur

Kevin Dorrell · ‎09-19-2007

I agree with Ankur - the most likely explanation is that someone has cross-connected two ports. Or joined them with a bridge, e.g. an XP PC with two NICs and bridging enabled.

It is the "mostly broadcasts" that gives us a clue here. If you silently monitor a switchport, what do you normally see? Mostly broadcasts, and perhaps a few rare flooded unicasts.

One way you can prevent this is to enable bpdu-guard on all your access ports. Then if someone cross-connects two switch ports they will get disabled and you will see the trace on the syslog. It might not catch the XP bridge case though ... can anyone confirm that?

Kevin Dorrell

Luxembourg

Kevin Dorrell

Luxembourg

Pavel Bykov · ‎09-21-2007

I can confirm what Kevin said.

Easy way to track what is happening would be by sniffing out the traffic, and looking at the source MAC address. Then you can use "show mac-address-table address aaaa.bbbb.cccc" command to trace where the source is located. This would give you a clue where the interconnect might be.

s-mahler · ‎09-24-2007

Thanks for the feedback. I'm looking!

...STeve