Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unicast Flooding

Hi,

I just want to know about unicast flooding. I am experiencing this scenario wherein when i put a laptop on a port on a switch and start sniffing the network, i am seeing a unicast traffic coming from other switches but within the same vlan. I am not using any span sessions. i just plug a laptop and start sniffing. The unicast traffic that im seeing is a valid one.

Hope you could help. thanks.

7 REPLIES
Hall of Fame Super Silver

Re: Unicast Flooding

Hello Roselyn,

verify if the destination MAC address is really unknown on switches CAM tables.

only case when unicast flooding should happen is when the destination host has not started to talk;

in this case someone sending traffic to it, because it has the MAC address in its ARP table (arp timeout can be of hours, CAM timeout is 300 seconds).

so some unicast flooding can happen in an healthy network.

Different case if a MAC address flooding attack is happening.

if the CAM tables are full of random mac addresses, legitimate mac addresses can be unicast flooded because there is no space for them in the CAM table.

you can check this on IOS based switches using

sh mac address-table count

or

sh mac-address-table count

(version dependent)

Hope to help

Giuseppe

New Member

Re: Unicast Flooding

Hi,

When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches (i.e. ftp, smb)

Thanks.

Hall of Fame Super Silver

Re: Unicast Flooding

Hello Roselyn,

>> When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches

yes, within the same Vlan is possible it is a single broadcast domain that spans over multiple L2 switches.

Hope to help

Giuseppe

New Member

Re: Unicast Flooding

Hi,

What if i am only seeing a specific protocol (smb)? would you consider it as a unicast flooding or maybe it is the behavior of the server that causes this.

thanks.

Hall of Fame Super Silver

Re: Unicast Flooding

Hello Roselyn,

it can be both at the same time.

From a networking point of view frames with unknown unicast destination are flooded.

The root cause can be a server having a wrong ARP entry for example.

I would check the default gateway for the vlan using

sh ip arp | inc

and I would compare this with the IP destination address on the captured packet

Hope to help

Giuseppe

Bronze

Re: Unicast Flooding

A common cause of unicast flooding can also be assymetric routing. Since you are talking about SMB (file transfer protocol), you might have this problem. See http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

New Member

Re: Unicast Flooding

Hi Sir,

my problem is that, even when there is no span session, when i plug my pc to a port the same vlan with my server's, i can see that the other server's is sending a unicast to a specific server. This behavior is not existent all the time. The traffic that i am seeing is about SMB. but when im doing an ftp to this specific server i cant see any ftp traffic. Also,the location of this server's are from two different switches.

Hope you could help. Thanks.

458
Views
0
Helpful
7
Replies