Packets flooding in same VLAN

David Lin · ‎10-01-2009

I created different VLANs on my C4948/C2960 switches. When I run the wireshake/ethereal on one server to cpature the packets, I can see all the packets coming in and out from other hosts in the same VLAN.

Is that normal? I think the packets are isolated by different switch port, it shouldn't go to other ports which are not the destination port expcept ARP or some other broadcast packets.

Please correct me. Thank you.

Venkatesh Shenoy · ‎10-01-2009

If you look at path of packet, when packets enter, first thing looked is destination MAC address. If this is not in mac address table ( for some reason ), the packets are flooded to all hosts in same VLAN. This is unknown unicast flooding.

Here is very good reference with example. http://www.ciscopress.com/articles/article.asp?p=336872

sschulak · ‎10-02-2009

use wireshark and apply a filter like this

Not arp and not llc and not eigrp and not hsrp and not

just keep adding all of broadcast and multicast protocols you see. Everyting else should be unicast.

After a few minutes of capturing click "statistics" and then click on "conversations" sort by bytes and see what all the traffic has in common probable the same HSRP destination address. find out what the commonality is and let us know or review the ARM and CAM table to see if the destnation address is constantly missing from CAM. I know of a bug on 6500s that does this.