Re: Unicast traffic

rsamuel37 · ‎07-23-2009

I'm looking for some good technical explanations on what affect unicast flooding or just excessive unicast traffic can have on a network. I know that my network's cam and arp timers are out of sync and unicast flooding is occurring every 5 minutes, but I'm looking for justification to get these synced up.

Here's the partial results of a 'sho int' from one of my vlans:

L2 Switched: ucast: 5804246620 pkt, 2701867618253 bytes - mcast: 4704092 pkt, 335588163 bytes

L3 in Switched: ucast: 177252646 pkt, 124539366887 bytes - mcast: 0 pkt, 0 bytes mcast

L3 out Switched: ucast: 611349324 pkt, 96313958155 bytes mcast: 0 pkt, 0 bytes

Thanks in advance.

/rls

Roman Rodichev · ‎07-23-2009

broadcast floods are rare these days, unicast floods are common and can hurt your network. I just had an issue at one of my customers last night where some server in a DMZ was for some reason sending so much traffic to the Internet that their checkpoint firewall was having difficulties forwarding traffic kill all DMZ traffic. So yes, excessive unicast traffic can be bad. If you suspect it, go through your switches, find the port that has a high rate of inbound traffic and find out why that's occuring.

Joseph W. Doherty · ‎07-23-2009

Effectively, a unicast flood behaves much as a multicast flood without IGMP snooping. Host NICs will ignore the packets, but links can be saturated with traffic. Or, perhaps, even better, you can think of it much like a hub. Every port gets a copy of every unicast (flooded) packet. Again, host NICs will ignore the packets. The network effect is bandwidth wasted on traffic that ports are not interested in seeing. (The one advantage vs. broadcast, the host doesn't need to examine the packet to determine whether it desires it or not.)