Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
176
Views
0
Helpful
1
Replies

Unsuspected traffic while sniffing

edersonpassaura
Level 1
Level 1

‎11-24-2015 08:36 AM - edited ‎03-08-2019 02:49 AM

Hi,

We have a network communication failure at a industrial site, that uses some tcp and udp communication. To monitor I'm using tcpdump to collect the packets from one port to a mirrored port at the same switch.
Looking for the root causes, we've found some unexpected packets coming from a different IP source and destination  from the host that were monitoring.
I know it would be some spanning tree issues,  as I saw at:

https://supportforums.cisco.com/discussion/10724911/unsuspected-traffic-while-sniffing


Something at our topology change would causes the MAC address tables to flush entries prematurely, thereby possibly causing leakage of frames to improper ports until the MAC addresses are learnt again, but we didn't find any misconfiguration at the spanning-tree.

Does anyone have a better idea about this issues, and how to find out if is the spanning-tree that causes this?

We're using LAN hierarchical design:

Labels:
Preview file
49 KB
0 Helpful
1 Reply 1

Rolf Fischer
Level 9
Level 9

‎11-24-2015 10:47 PM

Hello,

if the unexpected traffic you're seeing is flooded unicast after CAM table flushes caused by STP topology changes ("TCs"), you can use the 'show spanning-tree detail' command to see where the last TC came from. I always use it with an RegExp which provides a handy output:

show spanning-tree detail | include exec|occur|from

It depends on the STP version which kind of events trigger TCs, so it would be interesting to know if you use RSTP or the legacy version or a mix of both. All Cisco or 3rd-party as well?

Often TCs are caused by ports to end devices without portfast configuration, so make sure that portfast is configured on all the edge ports.

If you see frequent changes in your STP topology, you could also enable 'spanning-tree logging' on your switches (or some of them) to track where the changes come from.

HTH

Rolf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card