Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
3
Replies

Unicast data sent to all ports on VLAN

Go to solution
ebrandertsa
Level 1
Level 1

‎11-22-2010 02:35 PM - edited ‎03-07-2019 12:35 AM

Gurus,

I'm seeing what appears to be all data on a VLAN being set to every other port on that VLAN across multiple switches connected via dot1q trunks. A packet capture shows me that all the traffic is destined for a single MAC address, one that does not show up in any MAC address table on any of the switches. The first 6 digits of the MAC is 00-50-5a indicating something from Network Alchemy which is now owned by Nokia. We have CheckPoint firewalls on Nokia hardware so I'm thinking they are involved somehow. Am I right to assume that since it's not in the table, Cisco is going to  send it to every port in the VLAN until it learns the MAC - which looks like it will never happen?


Any suggestions as to how I find out why the traffic is destined to this MAC address yet it's not in the MAC address table?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chad Peterson
Cisco Employee
Cisco Employee
In response to ebrandertsa

‎11-22-2010 04:02 PM

I'm not sure anyone is at fault here. Normally clustering device that

run in a "unicast mode" will send an ARP that binds the IP address to a

MAC address that will never be used to source a packet. Because the mac

never source a packet, we never install that mac address, causing

unicast flooding.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Chad Peterson
Cisco Employee
Cisco Employee

‎11-22-2010 02:48 PM

Hi Eric,

You are correct, you are seeing expected behavior.  By default all switches should flood unicast traffic that is destined to an unknown mac address.

This can happen for a variety of reasons, but if you don't see the mac address anywhere, its possible that the host does not respond using that MAC address.  What I would do to find it is to put wireshark on a PC in the same vlan that you see the flooding.  Then PING the IP address that you see this flooded traffic for.  What we are looking for is the ARP Response.  Perhaps the ARP Response will be sourced from a different MAC address than where it reports the address to be.  If that holds true, you can then track down who is sending this ARP Response and figure out why.

If the process of pinging it and forcing the host to send an ARP packet fixes the problem, likely the end host just doesn't put much data on the network, and the MAC address simply times out.  In this case you have some options like increasing your CAM aging timer to be higher than ARP timeout.  Depending on the situation this may or may not work, but its a good trick to force the CAM table to be up to date w/ the ARP table.


Chad

0 Helpful

Go to solution
ebrandertsa
Level 1
Level 1
In response to Chad Peterson

‎11-22-2010 03:59 PM

Thanks for the reply.

I think I found it: Checkpoint cluster is set to use "Unicast mode" for clustering. CheckPoint then blames Cisco for not honoring it's ARP reply so I have to create static ARP entries for every address hosted by the CheckPoint.  Anyone experienced this and can speak to any gotchas I need to be concerned with?

0 Helpful

Go to solution
Chad Peterson
Cisco Employee
Cisco Employee
In response to ebrandertsa

‎11-22-2010 04:02 PM

I'm not sure anyone is at fault here. Normally clustering device that

run in a "unicast mode" will send an ARP that binds the IP address to a

MAC address that will never be used to source a packet. Because the mac

never source a packet, we never install that mac address, causing

unicast flooding.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card