Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
4
Replies

Layer 2 and Layer 3 Broadcasts between VLANs.

mdelroy
Level 1
Level 1

‎11-23-2003 03:24 PM - edited ‎03-02-2019 11:55 AM

We have a 6509 core switch and 3500 series switches at the access layer. We have 23 VLANs defined on the 6509 ports. All ports on the access layer switches are members of the VLAN the 3500's are patched into on the 6509.

I found out that bridging is enabled between our VLANs on the 6509 because non IP SNA mainframe communication requires it. I am told that this means that layer 3 IP broadcasts will not propogate through the VLANs. However Layer 2 broadcasts will.

Due to a faulty configuration, access points in the wireless VLAN are broadcasting to a layer 2 broadcast mac address. The access point documentation says that the first two digits in the mac address are altered to, "turn on the broadcast bit". The documentation makes it sound like this creates a broadcast mac address without it being ff:ff:ff:ff:ff:ff. We can see these layer 2 broadcasts in all VLANs.

This give rise to a TCP/IP question. What is the destination mac address associated with a layer 3 IP broadcast? It appears that the mac address for a layer 3 IP broadcast is treated differently then the layer 2 broadcast mac address the access point are sending to since IP broadcasts do not propogate through the VLANs.

Can anyone explain this a bit more for me?

M.Delroy

Labels:
0 Helpful
4 Replies 4

rsissons
Level 5
Level 5

‎11-23-2003 05:00 PM

My understanding is that by bridging between VLANs at layer 2, you have effectively negated the advantages of segregating the traffic into different VLANs in the first place so all traffic which is not routed will be bridged.

The difference is that, if IP is being routed, an IP, layer 3 broadcast, even with a mac address of all FFs, will be contained within the network segment and not forwarded to other networks.

0 Helpful

mcvisser
Level 1
Level 1

‎11-23-2003 08:42 PM

A L2 broadcast is meant to go to all hosts in the broadcast domain. This is signalled as destination address ff:ff:ff:ff:ff:ff. A L2 multicast is go to hosts within the broadcast domain that are part of a multicast interest group. For instance the "interest group" for NetBEUI is 03.00.00.00.00.01, for DEC LAT they use 09.00.2B.00.00.0F.

A "dumb" Layer 2 switch doesn't discriminate between a broadcast or a multicast. It just looks for the first bit (the lower order one) in the first byte in the destination to be 1 (that is, the first byte is odd eg. ff, 03, 09 ). If this is the case it pushes the packet out all ports. A "smarter" switch, can discriminate a little more carefully. In your case only non-IP broadcasts/multicasts go to other VLANs.

IP broadcasts (such as for ARP) are sent to ff:ff:ff:ff:ff:ff. So are IPX broadcasts.

If the 6500 is configured to bridge non-IP broadcasts/multicasts between VLANs it needs to look at the Ethertype field to determine if it is IPv4 before it decides to bridge the packet. (IPv4 will have broadcasts with Ethertype 0800, IPX can use Ethertype 8137 (as well as a few others, which I won't go into here)). Thus the switch can distinguish the protocols that are in the packets, much the same as a packet sniffer can, though hopefully a lot more efficiently.

You didn't say exactly what sort of packets the AP is "broadcasting". (Of course at a Physical Layer the AP has to broadcast packets, but I'm sure that isn't what you mean). Whatever it changes to them to must be in compliance to some known protocol, at least know to the receiver. (Most network stacks treat broad/multicasts differently from unicasts for security reasons).

0 Helpful

mdelroy
Level 1
Level 1
In response to mcvisser

‎11-24-2003 04:51 PM

You have cleared this up nicely. The AP's are sending multicast layer 2 frames. This is due to a faulty configuration which has the AP's trying to contact a default mac address when looking for a WAP encryption key.

Some of our systems run IPX. I see IPX broadcasts propogating through the VLANs as well.

Another question this raises: Doesn't VLAN bridging make the network one large spanning tree domain negating the benefits of per VLAN spanning tree? I would think having a single spanning tree domain would slow down convergence.

0 Helpful

robho
Level 3
Level 3

‎11-24-2003 10:32 PM

Before T/S any further, check to make sure that you are not using IEEE as the bridge protocol. Use the other option - vlan-bridge. This will help avoid L2 loops and excessive O/H on MSFC. See below for details.

http://www.cisco.com/warp/public/473/inter-vlan_11072.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents