Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
7
Helpful
7
Replies

Tcp and snmp communication

stephtchoko
Level 3
Level 3

‎02-03-2009 04:36 AM - edited ‎03-04-2019 01:05 AM

Hello all;

I'm find an explanation of one issue face in our network. We have a part of our network which is not segmented.We install a sniffer server without configuring span, this sniffer server was connected to the cisco switch.

We discover that this sniffer is able to see tcp &snmp traffic between PRTG server and remote equipment monitored via snmp.

I'm confused, because i do not know why a unicast traffic can be received by sniffer. Please, can you know the different reason of this behavoir and how to avoid it ?

Thank you & Best regards.

Stephane.

Labels:
0 Helpful
7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

‎02-03-2009 04:45 AM

Hi, something is not correct with the switch, and you should examine carefully its configuration.

0 Helpful

stephtchoko
Level 3
Level 3
In response to paolo bevilacqua

‎02-03-2009 05:11 AM

I attached the switch configuration and log. Please, have a look on it and let me know what should be aligned.

Regards,

Stephane.

Preview file
8 KB
0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to stephtchoko

‎02-03-2009 05:18 AM

Check:

%C4K_EBM-4-HOSTFLAPPING: Host 00:13:C3:9A:A8:00 in vlan 1 is f

lapping between port Gi1/32 and port Gi1/37

You probably have a topology loop that causes the switch to flood unknown MAC to all ports.

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to paolo bevilacqua

‎02-03-2009 05:39 AM

I do not understand the low rating give to my post above.

The switch is telling you clearly that you have at least one flapping MAC, so you should investigate that.

Please refrain to use the rating system if you can't make a good use of it.

0 Helpful

stephtchoko
Level 3
Level 3
In response to paolo bevilacqua

‎02-03-2009 06:18 AM

I put the low rate because, event when the switch forward the traffic to mac address HSRP the snffer is receiving it. I can not confirm that is coming the loop.You mention what is the root cause. We are still verifying.

Thank you for your comprehension.

Stephane.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to stephtchoko

‎02-03-2009 06:32 AM

You did not mentioned HSRP in first place, in fact that is the most likely cause of unicast flooding. See cases 4 and 8 in the following document:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml

So, it's appropriate to bring all the facts and wait for the discussion to complete before giving ratings.

stephtchoko
Level 3
Level 3
In response to paolo bevilacqua

‎02-05-2009 12:59 AM

Hello bevilacqua,

Other than HSRP, can we have another explanation of lack of the unicast flooding ? Do you want to see the wireshark output ?

Regards,

Stephane.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card