Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2808
Views
0
Helpful
5
Replies

Layer 2 Bridging - Unknown Unicast - ARP or Flood?

response3
Level 1
Level 1

‎11-09-2007 07:12 PM - edited ‎03-03-2019 05:46 AM

Hi all,

I'm trying to understand when a layer-2 bridge (switch) would flood an

unknown unicast frame. My understanding is that whenever a device

needs to send a unicast frame, it would use ARP before sending, in

which case the switch would already have the MAC address of the

destination due to it's ARP reply. This seems that there would never

be a scenario where the switch would flood a unicast frame out all

ports. My book lists this as a valid scenario. Am I missing

something, or is this only possible in situations where ARP isn't

used? Thanks.

Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎11-09-2007 07:50 PM

I've seen this behavior on customer's network and often is due to incorrect configuration.

If you set the arp timer higher than your mac-address-table (a.k.a CAM) timer, you will see this kind of behavior.

The switch would have the IP address in ARP but not a corresponding MAC since it has aged out.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Edison Ortiz

‎11-10-2007 09:04 AM

I agree with most of what Edison says. But not the part about often is due to incorrect configuration. The ARP timer in IOS is 4 hours and the CAM age timer defaults to 15 minutes. This mismatch exists before the customer starts to configure anything.

There are also situations where asysmetric paths can cause unicast flooding.

HTH

Rick

HTH

Rick
0 Helpful

ohassairi
Level 5
Level 5

‎11-10-2007 10:34 AM

some times when mac address table is full, the switch will bwcome as a hub. it broadcast any frame. this is well known attack by flooding the network with unreal MAC address until the mac address table will become full.

0 Helpful

response3
Level 1
Level 1
In response to ohassairi

‎11-11-2007 11:21 AM

Thanks for the feedback, guys. What you're saying makes sense, and it's technically true. It's still misleading that my CCIE R&S book v3 says that this is the default behaviour of a switch, when in fact, you shouldn't see this in production.

0 Helpful

milan.kulik
Level 10
Level 10
In response to response3

‎11-11-2007 01:44 PM

Hi,

as Rick said ARP cache timeout is 4 hours while L2 switch MAC address timeout is only 5 minutes by default.

So it can happen there is the destination MAC missing in the switch forwarding table.

See

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

and

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00807347ab.shtml#broadcast

BR,

Milan

0 Helpful
Customers Also Viewed These Support Documents