Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
2
Replies

Fixed an issue but have no idea what the issue was

prerak007
Level 1
Level 1

‎09-28-2009 11:30 AM - edited ‎03-06-2019 07:54 AM

I have device "A" on VLAN 30, when I ping a device "B" on VLAN 10, I get response back from device "B" and device "C" both of them on VLAN 10.

Now we suspected some tyep of loop causing Device 'C" also to respond but couldn't figure out the loop. We ended up disabling unicast flooding on VLAN 10, which fixed the issue!! However I still don't understand the underlying issue. Also not sure if disabling unicast flooding would cause some other issue??

Would appreciate any help from Pros.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-28-2009 12:03 PM

Hello Prerak,

if two devices were answering to same ICMP request packet some possibilities are:

legitimate device B was silent in last CAM aging time (300 seconds)

router or multilayer switch has an ARP entry for B (4 hours by default far bigger then CAM aging time) packet is sent out within a frame with MAC SA= router interface/multilayer SVI and MAC DA= host B MAC address.

being host B MAC not present in CAM the frame is treated as a broadcast and sent to all ports in Vlan 10

host C receives the packet and processes it (its NIC might be in promiscuous mode) and decided to answer to it.

result host A receives two answers for its first ICMP echo request.

but following ICMP requests should be answered by host B only unless host C is trying to do some form of man in the middle or network device is not behaving correctly.

Effects of unicast flooding disabled:

with unicast flooding disabled on vlan 10, frames with an unknown unicast destination are not sent out all ports of vlan10 and until the NIC that uses that MAC address doesn't talk again there is no way to deliver these frames with unknown destination MAC address.

in other words you have no problems if all hosts in the subnet are always talking (at least one packet in less then 300 seconds)

this can be true for network servers, not so common for user PCs.

I think you should investigate on why this host C was answering, also it is important to see if it anwers only to first ICMP request or also to following ones (this second case is very strange and would point to some man in the middle sw running on it)

Hope to help

Giuseppe

0 Helpful

prerak007
Level 1
Level 1
In response to Giuseppe Larosa

‎09-28-2009 12:18 PM

Thanks so much your explanation, it helps a lot. One thing I kept wondering is how an unicast frame gets to device C in the first place. I have to run ping from A->B for a while before I start seeing duplicates!..And when I start seeing duplicates it alternates between B and C. Basically, once I start seeing duplicates I see replies from both B and C.

No what is interesting is device C is a combination of bridge/router. And on unintended frames i see MAC SA= Device C and MAC DA= Device B. The other pings have MAC SA= Device A and MAC DA=Device B.

Thank you again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card