3850 incorrectly sending unicast traffic to multiple ports

CrackedJack1 · ‎01-20-2014

I have a stack of 3850’s trunked to our core. I have a 3560G switched trunked off the 3850’s and one last 3560G connected to the pevious 3560 as shown below (may not be ideal but no choice for the moment)

I’m using cacti to monitor the ports and I see there’s 5 megabits of traffic going out each 3850 port to the connected machine. On the 3560’s, that number is much, much less.

If I run wireshark, the biggest difference I see is the machine connected to the 3850 is seeing all kinds of traffic not destined for it (UDP and TCP streams). Probably some camera streams.

I have some vmware hosts connected to the 3850 and I can see some of the unexpected traffic is going to/from different vms but there’s also a lot of other traffic. (Based on the address, these are meant for specific machines, I’m not seeing a multicast storm/broadcast)

My 3850 is sending 5 megabits to each port

The first 3560 is sending maybe 600 kilobits

The next 3560 down the road is sending roughly 300 kilobits.

If someone starts to pull a lot of streams, I’m worried the 3850 will be sending a lot of useless packets to some machines and causing problems (which has happened before)

Is there something I can do on the 3850 to figure out why this is happening?

Thanks

cadet alain · ‎01-20-2014

Hi,

where's your cacti and the machine with sniffing software? Are they the same machine ?

Could these be unknown unicast packets you're seeing( is sniffing interface in prosmicuous mode ?)

Regards

Alain

Don't forget to rate helpful posts.

CrackedJack1 · ‎01-20-2014

Cacti is running on a VM (whose ESXi host is conected to the 3850). Wireshark is running on a physical machine connected to the same 3850.

I am sniffing in promiscuous mode but i'm confused as to why I see it when connected to the 3850 but not on a machine connected to the 3560 (and a lot less traffic in general on the 3560). The 3560 is connected via layer 2 to the 3850.

In the past when igmp snooping wasn't working properly, a huge storm would cause a problem on some machines so I'm just afraid that the 3850 might be sending traffic on ports which it shouldn't be.

CrackedJack1 · ‎01-23-2014

Trying to troubleshoot this issue and it seems like my problem might be related to the ARP table.

On the 3850:

sh mac add acount:

Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 785
Static Address Count : 1
Total Mac Addresses : 786

sh arp summary

Interface Entry Count
Vlan50 1434

I configued a spare switch with the same basic config (it's not a 3850 though), adjuted the vlan ips to avoid a conflict and have 1 laptop connected so i can run wireshark

for this other switch, sh mac add count gives

Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 936
Static Address Count : 0
Total Mac Addresses : 936

sh arp summary gives me:

Interface Entry Count
Vlan50 9

Neither switch is set as the gateway for any device.

On my 3850 which is spamming ports, I have twice as many arp entries as mac addresses. If i check entries from the arp table vs. the mac table, not all items from the arp table are in the mac table.

On this test switch i setup, it's the total opposite. It's picking up almost no arp entries but learns about a ton of mac addresses it sees on the trunk to the core. Checking the stats on the port where the laptop is connected shows maybe half a megabit traffic.

I'm not quite sure where to go next in my troubleshooting. Any suggestions?