Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unexpected traffic available to sniffer on a switch

Hi,

I work on a 6000 seat network where unfortunately most seats have been placed in VLAN 1 - over 2000.

Occaisionally I will etherreal a switch port and see traffic between 2 hosts which we shouldn't see in a switched network.

I am assuming that the switch has blown its L2 forwarding table and has become a hub.

Is there a command which would tell me whether this was the case?

sh mac-address-table count seems to suggest that the switch still has plenty of room left :-

Total Mac Address Space Available: 7926

Obvioulsy I am busy sub-netting the network into smaller chunks.

I beleive setting port security etc would also help, but I would just like to be sure that this table blowing is in fact what is happening

Many thanks !

7 REPLIES
New Member

Re: unexpected traffic available to sniffer on a switch

can you clarify....what type of traffic...is it broadcast?

"Occaisionally I will etherreal a switch port and see traffic between 2 hosts which we shouldn't see in a switched network."

New Member

Re: unexpected traffic available to sniffer on a switch

hi,

No it is traffic between individual hosts suggesting the switch has blown its L2 table and is acting as a hub

cheers

New Member

Re: unexpected traffic available to sniffer on a switch

Hi

it could also be that the MACs have been aged out of CAM so the switch is in the process of re-learning the MACs.

Thanks

Rgds

HH

New Member

Re: unexpected traffic available to sniffer on a switch

Try the command "show spanning-tree detail" and at line six of the VLAN in question, check to see how long its been since the last topology change (should be days or weeks not minutes). Likely you are seeing the results of topology changes caused by lack of "portfast" being enabled on the access ports. Or you have a link flapping somewhere in the network, causing the changes.

Cheers,

Brian

New Member

Re: unexpected traffic available to sniffer on a switch

Hi Paul,

There are times in the network , when you will see unicast traffic on a port where it should not be.

This could happen because of:

a) Microsoft servers running NLB

b) Unicast flooding

I would recommend to read the articles that will help you to understand it better.

http://cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1176827&SiteID=1

New Member

Re: unexpected traffic available to sniffer on a switch

thanks I am aware of the load balancing issue and we put those into a seperate VLAN.

Sub netting the network should lessen and then eliminate the problem.

The question was what command can I issue on a switch to determine whether it has blown its L2 forwarding table.

New Member

Re: unexpected traffic available to sniffer on a switch

Hi

The sh mac-address-table count should show you the number of available MAC space available on the switch (see sample output below)

Mac Entries for Vlan 1:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Mac Entries for Vlan 100:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Mac Entries for Vlan 101:

---------------------------

Dynamic Address Count : 0

Static Address Count : 0

Total Mac Addresses : 0

Total Mac Address Space Available: 7453

Thanks

167
Views
0
Helpful
7
Replies