01-20-2014 09:01 AM - edited 03-07-2019 05:40 PM
I have a stack of 3850’s trunked to our core. I have a 3560G switched trunked off the 3850’s and one last 3560G connected to the pevious 3560 as shown below (may not be ideal but no choice for the moment)
<Core>====<3850>======<3560>======<3560>
I’m using cacti to monitor the ports and I see there’s 5 megabits of traffic going out each 3850 port to the connected machine. On the 3560’s, that number is much, much less.
If I run wireshark, the biggest difference I see is the machine connected to the 3850 is seeing all kinds of traffic not destined for it (UDP and TCP streams). Probably some camera streams.
I have some vmware hosts connected to the 3850 and I can see some of the unexpected traffic is going to/from different vms but there’s also a lot of other traffic. (Based on the address, these are meant for specific machines, I’m not seeing a multicast storm/broadcast)
My 3850 is sending 5 megabits to each port
The first 3560 is sending maybe 600 kilobits
The next 3560 down the road is sending roughly 300 kilobits.
If someone starts to pull a lot of streams, I’m worried the 3850 will be sending a lot of useless packets to some machines and causing problems (which has happened before)
Is there something I can do on the 3850 to figure out why this is happening?
Thanks
01-20-2014 10:11 AM
Hi,
where's your cacti and the machine with sniffing software? Are they the same machine ?
Could these be unknown unicast packets you're seeing( is sniffing interface in prosmicuous mode ?)
Regards
Alain
Don't forget to rate helpful posts.
01-20-2014 11:16 AM
Cacti is running on a VM (whose ESXi host is conected to the 3850). Wireshark is running on a physical machine connected to the same 3850.
I am sniffing in promiscuous mode but i'm confused as to why I see it when connected to the 3850 but not on a machine connected to the 3560 (and a lot less traffic in general on the 3560). The 3560 is connected via layer 2 to the 3850.
In the past when igmp snooping wasn't working properly, a huge storm would cause a problem on some machines so I'm just afraid that the 3850 might be sending traffic on ports which it shouldn't be.
01-23-2014 04:34 AM
Trying to troubleshoot this issue and it seems like my problem might be related to the ARP table.
On the 3850:
sh mac add acount:
Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 785
Static Address Count : 1
Total Mac Addresses : 786
sh arp summary
Interface Entry Count
Vlan50 1434
I configued a spare switch with the same basic config (it's not a 3850 though), adjuted the vlan ips to avoid a conflict and have 1 laptop connected so i can run wireshark
for this other switch, sh mac add count gives
Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 936
Static Address Count : 0
Total Mac Addresses : 936
sh arp summary gives me:
Interface Entry Count
Vlan50 9
Neither switch is set as the gateway for any device.
On my 3850 which is spamming ports, I have twice as many arp entries as mac addresses. If i check entries from the arp table vs. the mac table, not all items from the arp table are in the mac table.
On this test switch i setup, it's the total opposite. It's picking up almost no arp entries but learns about a ton of mac addresses it sees on the trunk to the core. Checking the stats on the port where the laptop is connected shows maybe half a megabit traffic.
I'm not quite sure where to go next in my troubleshooting. Any suggestions?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: