cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2405
Views
0
Helpful
8
Replies

Catalyst 2950 Acting As A Hub

parnelld
Level 1
Level 1

We have 3 Catalyst 2950-48 switches and each is acting more as a hub than a switch (all traffic can be seen on all ports).  My familiarity with this usually indicates that the mac table is full and therefore the switch is dropping back into "hub" mode to ensure delivery of the packets.  However, the most MAC addresses I've seen in the switch tables are 97.  There are entries for the src and dst MACs in question within these tables so these switches know these addresses.

As an example, please reference the attanced image file.  A firewall is logging syslog data to a host in switch A (sw-a).  It is from a 192.168.102.x address to a 192.168.101.x address.  A host on switch B (sw-b) sees this traffic.  This host is in the 192.168.101.x network and is in an access mode switch port.  The switch port that the host is connected to is not configured to monitor.

8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

Why is the router connected like this?  Shouldn't it be like this:

Firewall -- Router -- Switch

The diagram provided is a physical diagram and is correct.  The router is physically established to route the two networks between the two VLANs.  We have multiple firewalls in our network configurations and none of them directly connect to a router.  The diagram provided showing the router off to one side is commonly referred to as a "router on a stick."  The only thing I can find that may be wrong with the physical configuration is that maybe both interfaces of the router should be physically connected to the same switch.  If I am grossly mistaken on the current physical configuration, please enlighten me.  I am far from perfect and it is possible for me to be wrong.

jjalexander401
Level 1
Level 1

This may not solve the problem, but why couldn't you add a rule to an ACL that only allows the syslog data to that particular host?

Creating an ACL that permits the traffic from host A to host B could be set up.  But I don't see how that will help.  We did a packet sniff earlier and the data from host A is actually from host A (as provided by the MAC address) and is destined for host B (as provided by the MAC address).  The example I provided (and I'm sorry I wasn't more clear earlier) was primarily about a firewall logging to a syslog server.  This "broadcast" of data is persistent between other hosts on the network as well.  I can see where your suggestion about only permitting syslog data to a specific host by using an ACL might work, but this won't fix the other "broadcast-type" traffic.

Ganesh Hariharan
VIP Alumni
VIP Alumni

We have 3 Catalyst 2950-48 switches and each is acting more as a hub than a switch (all traffic can be seen on all ports).  My familiarity with this usually indicates that the mac table is full and therefore the switch is dropping back into "hub" mode to ensure delivery of the packets.  However, the most MAC addresses I've seen in the switch tables are 97.  There are entries for the src and dst MACs in question within these tables so these switches know these addresses.

As an example, please reference the attanced image file.  A firewall is logging syslog data to a host in switch A (sw-a).  It is from a 192.168.102.x address to a 192.168.101.x address.  A host on switch B (sw-b) sees this traffic.  This host is in the 192.168.101.x network and is in an access mode switch port.  The switch port that the host is connected to is not configured to monitor.

Hi Daniel,

As per the daigram attached what i understand is that host connected in swa when wants to reach host connected to swb it wont go to router as both the switches are connted via acces ports on each vlans.

Can you please breif what exactly is the issue you are facing because i am unable to understand the issue in your previous post.

Hope to Help !!

Ganesh.H

Hello Ganesh,

I apologize for not being more clear.  My mind and fingers do not always work in harmony.

Here is an example...A host (in this instance a firewall) that is connected to switch A is trying to send syslog data to a host that is also in switch A.  The firewall is in the 192.168.102.0/24 network and the syslog is in the 192.168.101.0/24 network.  The Cat 2950 won't route between the two networks (hence why there is a router attached to the switch).  The physical routing is something like...

Host A (Firewall) transmits data to Host B (syslog server).

1.  The data passes through switch A.

2.  Since it is destined for an address in the 192.168.101.0/24 network, the switch passes the data to router A (interface F0/1).

3.  The router routes the data out of interface F0/0 to switch B.

4.  Switch B has host B's MAC address in its address table and forwards the packet back to switch A (and to every other port on switch B).

5.  Switch A then forwards the packet to the syslog server (and to every other port on switch A).

This is just one example.  This "broadcast" of data also happens between hosts within the same network and connected to the same switch.

I thought that moving the F0/0 connection from Switch B to Switch A might correct the problem but don't see how it would affect the problem of hosts in the same network on the same switch broadcasting to all ports.

Good explanation of the problem with what are you expecting. My view would be

  1. Theortically no change in topology eventhough you change the router connection to sw-a
  2. I would suggest to get few logging on the switch
  3. check one sample trace with debug command on the router. This will give you more detail flow how it's happening.
  4. check the re-fresh rate of mac address table.. if you suspect you can change the default time of re-fresh to your table would be most updated on switches

I ran the debug logging earlier on the switch (switch A) and got nothing (see below) from a trace from the firewall to the syslog host.

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level warnings, 0 messages logged
    Buffer logging: level debugging, 430 messages logged
    Exception Logging: size (4096 bytes)
    File logging: disabled
    Trap logging: level debugging, 1421 message lines logged

Log Buffer (4096 bytes):

001421: *April 19 08:21:12: %SYS-CLUSTER_MEMBER_1-5-CONFIG_I: Configured from console by on vty0 (192.168.101.xxx)
001422: *April 19 08:22:15: %SYS-CLUSTER_MEMBER_1-5-CONFIG_I: Configured from console by on vty0 (192.168.101.xxx)

I plan to move the line in the router (F0/0) from switch B to switch A in the morning (so I appreciate your advice and concurrence on this one).

The mac-address-table aging-time is set to 14400 (default, as you know, is 300).  Right now the table has 144 addresses in it (far from the maximum).

I also plan to put the router in debug mode.  However, because of current use I'll have to wait to do so in the morning (after I move the patch cable).

Review Cisco Networking for a $25 gift card