01-20-2014 09:01 AM - edited 03-07-2019 05:40 PM
I have a stack of 3850’s trunked to our core. I have a 3560G switched trunked off the 3850’s and one last 3560G connected to the pevious 3560 as shown below (may not be ideal but no choice for the moment)
<Core>====<3850>======<3560>======<3560>
I’m using cacti to monitor the ports and I see there’s 5 megabits of traffic going out each 3850 port to the connected machine. On the 3560’s, that number is much, much less.
If I run wireshark, the biggest difference I see is the machine connected to the 3850 is seeing all kinds of traffic not destined for it (UDP and TCP streams). Probably some camera streams.
I have some vmware hosts connected to the 3850 and I can see some of the unexpected traffic is going to/from different vms but there’s also a lot of other traffic. (Based on the address, these are meant for specific machines, I’m not seeing a multicast storm/broadcast)
My 3850 is sending 5 megabits to each port
The first 3560 is sending maybe 600 kilobits
The next 3560 down the road is sending roughly 300 kilobits.
If someone starts to pull a lot of streams, I’m worried the 3850 will be sending a lot of useless packets to some machines and causing problems (which has happened before)
Is there something I can do on the 3850 to figure out why this is happening?
Thanks
01-20-2014 10:11 AM
Hi,
where's your cacti and the machine with sniffing software? Are they the same machine ?
Could these be unknown unicast packets you're seeing( is sniffing interface in prosmicuous mode ?)
Regards
Alain
Don't forget to rate helpful posts.
01-20-2014 11:16 AM
Cacti is running on a VM (whose ESXi host is conected to the 3850). Wireshark is running on a physical machine connected to the same 3850.
I am sniffing in promiscuous mode but i'm confused as to why I see it when connected to the 3850 but not on a machine connected to the 3560 (and a lot less traffic in general on the 3560). The 3560 is connected via layer 2 to the 3850.
In the past when igmp snooping wasn't working properly, a huge storm would cause a problem on some machines so I'm just afraid that the 3850 might be sending traffic on ports which it shouldn't be.
01-23-2014 04:34 AM
Trying to troubleshoot this issue and it seems like my problem might be related to the ARP table.
On the 3850:
sh mac add acount:
Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 785
Static Address Count : 1
Total Mac Addresses : 786
sh arp summary
Interface Entry Count
Vlan50 1434
I configued a spare switch with the same basic config (it's not a 3850 though), adjuted the vlan ips to avoid a conflict and have 1 laptop connected so i can run wireshark
for this other switch, sh mac add count gives
Mac Entries for Vlan 50:
---------------------------
Dynamic Address Count : 936
Static Address Count : 0
Total Mac Addresses : 936
sh arp summary gives me:
Interface Entry Count
Vlan50 9
Neither switch is set as the gateway for any device.
On my 3850 which is spamming ports, I have twice as many arp entries as mac addresses. If i check entries from the arp table vs. the mac table, not all items from the arp table are in the mac table.
On this test switch i setup, it's the total opposite. It's picking up almost no arp entries but learns about a ton of mac addresses it sees on the trunk to the core. Checking the stats on the port where the laptop is connected shows maybe half a megabit traffic.
I'm not quite sure where to go next in my troubleshooting. Any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide