Unicast Flooding

Unanswered Question
Oct 14th, 2009

Hi,

I just want to know about unicast flooding. I am experiencing this scenario wherein when i put a laptop on a port on a switch and start sniffing the network, i am seeing a unicast traffic coming from other switches but within the same vlan. I am not using any span sessions. i just plug a laptop and start sniffing. The unicast traffic that im seeing is a valid one.

Hope you could help. thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 10/14/2009 - 23:33

Hello Roselyn,

verify if the destination MAC address is really unknown on switches CAM tables.

only case when unicast flooding should happen is when the destination host has not started to talk;

in this case someone sending traffic to it, because it has the MAC address in its ARP table (arp timeout can be of hours, CAM timeout is 300 seconds).

so some unicast flooding can happen in an healthy network.

Different case if a MAC address flooding attack is happening.

if the CAM tables are full of random mac addresses, legitimate mac addresses can be unicast flooded because there is no space for them in the CAM table.

you can check this on IOS based switches using

sh mac address-table count

or

sh mac-address-table count

(version dependent)

Hope to help

Giuseppe

rc.castillo Wed, 10/14/2009 - 23:44

Hi,

When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches (i.e. ftp, smb)

Thanks.

Giuseppe Larosa Thu, 10/15/2009 - 00:01

Hello Roselyn,

>> When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches

yes, within the same Vlan is possible it is a single broadcast domain that spans over multiple L2 switches.

Hope to help

Giuseppe

rc.castillo Thu, 10/15/2009 - 00:15

Hi,

What if i am only seeing a specific protocol (smb)? would you consider it as a unicast flooding or maybe it is the behavior of the server that causes this.

thanks.

Giuseppe Larosa Thu, 10/15/2009 - 00:23

Hello Roselyn,

it can be both at the same time.

From a networking point of view frames with unknown unicast destination are flooded.

The root cause can be a server having a wrong ARP entry for example.

I would check the default gateway for the vlan using

sh ip arp | inc

and I would compare this with the IP destination address on the captured packet

Hope to help

Giuseppe

rc.castillo Mon, 10/26/2009 - 05:07

Hi Sir,

my problem is that, even when there is no span session, when i plug my pc to a port the same vlan with my server's, i can see that the other server's is sending a unicast to a specific server. This behavior is not existent all the time. The traffic that i am seeing is about SMB. but when im doing an ftp to this specific server i cant see any ftp traffic. Also,the location of this server's are from two different switches.

Hope you could help. Thanks.

Actions

This Discussion