Solved: Re: Wireshark capture on access port displays different vlan tra

abukuru95 · ‎06-13-2013

Hi Guys,

i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.

when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.

anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.

the port the server is connected to is not a monitor port but only in switch port mode access.

thanks in advance for you feedback

Steve Fuller · ‎06-13-2013

Hi,

So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.

Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.

Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:

In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.

Regards

View solution in original post

AJ Cruz · ‎06-13-2013

I can't remember the details, but I've ran into issues in the past where a Nexus 1000v for whatever reason doesn't learn mac addresses and starts flooding unicast traffic. I'll see if I can find more info on that.

Edit: I had 1000v on the brain, you asked about a blade switch. You're probably still seeing unknown unicast traffic though the reason might be different than the 1000v issue.

Sent from Cisco Technical Support Android App

Steve Fuller · ‎06-13-2013

Hi,

So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.

Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.

Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:

In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.

Regards

abukuru95 · ‎06-13-2013

Thanks for you detailed explanation !

Wireshark capture on access port displays different vlan traffic