Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Non-broadcast traffic appearing across VLAN

We run a network of several 2960G and 3650G switches in a network with a number of VLANs. One one particular VLAN (let's call it VLAN 10) it appears that non-broadcast traffic (i.e. normal unicast traffic) is being copied to every port in VLAN 10 only on one switch . The traffic is not crossing trunk ports and does not appear on other switches that have ports in VLAN 10. We first spotted this by noticing that a UPS port had an unusual amount of activity on our port througput graphs:

This traffic at 4 am is not expected and this profile is repeated across all ports in VLAN 10 on this switch (a  WS-C2960S-48TD-L stack running IOS 15.0(1)SE3)

Thinking that this must be unusual broadcast traffic we sniffed one port using local SPAN (the UPS port) and discovered that this traffic was not broadcast, which was running at a normal low rate at all times. The traffic appeared to be unicast traffic from other ports of the sort you might see on a hub. It was from various hosts that live on VLAN 10, most (not all) of the conversations had one end station homed on the 'problem' switch. There are about 800 non-broadcast packets per hour and this is a busy VLAN so it does not account for all the traffic on the VLAN.

We don't think that this is an artifact of our sniffing, but this is possible. Otherwise, we are stumped as to why this traffic is being copied out to multiple ports. Any suggestions would be most welcome.

Everyone's tags (4)
3 REPLIES
Bronze

Re: Non-broadcast traffic appearing across VLAN

Is the switch constantly flooding or is it periodically flooding (every 5 minutes) for an amount of time? Could be the cam table is full (maybe from mac spoofing or messed up aging timers) or maybe learning is disabled on the vlan (probably not). I'd check a couple things:

How does the cpu utilization look?

Is there any single port in the cam table that has an abnormally large amount of mac addresses?

Do a "sh spann vlan <#> detail" Is there an excessive amount of topology changes? topology changes will cause the switch to temporarily flood traffic.

A couple things you could do to address the symptoms, not necessarily the cause:

switchport block unicast (not sure if this is available on a 2960) on an interface will block all unknown unicast traffic

port security and/or dynamic arp inspection to address mac spoofing.

Sent from Cisco Technical Support iPad App

New Member

Re: Non-broadcast traffic appearing across VLAN

Thank you for these very useful pointers. Unknown flooding would seem to be the issue.

The flooding seems to be patternless, definitely not on a five minute cycle. I have attached a sample graph.

The mac address table has 1008 entries out of 8K. 928 are on one trunk port that links this switch to the rest of the network. Currently this is the only link to the rest of the network.

Latest topology change on VLAN 10 was 1d23h ago, so that would not seem to be the problem.

CPU usage runs at about 20% with some peaks at 60%-70%.

I will now check Akshay's suggestions about checking the mac addresses.

Daniel

New Member

Re: Non-broadcast traffic appearing across VLAN

Daniel,

This looks/sounds like typical unknown unicast flood situation. A situation where a swtich would flood unicast traffic as it does not know the Mac-address. The reason for not knowing the mac-address could  be anything ranging from rapid spanning-tree reconverences, cam table getting full , hardware issues with cam table, asymmetric data flow ( routing) etc.

So he first thing to do is note down the Destination Macs from the sniffer.  Then check if you have these Mac-address in he cam table of the switch , which is flooding it.   Check all the points that anjallicruz mentioned.

Here is a link for understanding and troublehooting unknown unicast flood issue.

http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

Cheers,

AB

1423
Views
0
Helpful
3
Replies
CreatePlease to create content