Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2407
Views
0
Helpful
8
Replies

Catalyst 2950 Acting As A Hub

parnelld
Level 1
Level 1

‎04-16-2010 09:34 AM - edited ‎03-06-2019 10:39 AM

We have 3 Catalyst 2950-48 switches and each is acting more as a hub than a switch (all traffic can be seen on all ports).  My familiarity with this usually indicates that the mac table is full and therefore the switch is dropping back into "hub" mode to ensure delivery of the packets.  However, the most MAC addresses I've seen in the switch tables are 97.  There are entries for the src and dst MACs in question within these tables so these switches know these addresses.

As an example, please reference the attanced image file.  A firewall is logging syslog data to a host in switch A (sw-a).  It is from a 192.168.102.x address to a 192.168.101.x address.  A host on switch B (sw-b) sees this traffic.  This host is in the 192.168.101.x network and is in an access mode switch port.  The switch port that the host is connected to is not configured to monitor.

Labels:
Preview file
16 KB
0 Helpful
8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-16-2010 05:28 PM

Why is the router connected like this?  Shouldn't it be like this:

Firewall -- Router -- Switch

0 Helpful

parnelld
Level 1
Level 1
In response to Leo Laohoo

‎04-19-2010 06:44 AM

The diagram provided is a physical diagram and is correct.  The router is physically established to route the two networks between the two VLANs.  We have multiple firewalls in our network configurations and none of them directly connect to a router.  The diagram provided showing the router off to one side is commonly referred to as a "router on a stick."  The only thing I can find that may be wrong with the physical configuration is that maybe both interfaces of the router should be physically connected to the same switch.  If I am grossly mistaken on the current physical configuration, please enlighten me.  I am far from perfect and it is possible for me to be wrong.

0 Helpful

jjalexander401
Level 1
Level 1

‎04-17-2010 04:49 PM

This may not solve the problem, but why couldn't you add a rule to an ACL that only allows the syslog data to that particular host?

0 Helpful

parnelld
Level 1
Level 1
In response to jjalexander401

‎04-19-2010 06:50 AM

Creating an ACL that permits the traffic from host A to host B could be set up.  But I don't see how that will help.  We did a packet sniff earlier and the data from host A is actually from host A (as provided by the MAC address) and is destined for host B (as provided by the MAC address).  The example I provided (and I'm sorry I wasn't more clear earlier) was primarily about a firewall logging to a syslog server.  This "broadcast" of data is persistent between other hosts on the network as well.  I can see where your suggestion about only permitting syslog data to a specific host by using an ACL might work, but this won't fix the other "broadcast-type" traffic.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎04-19-2010 07:07 AM 

We have 3 Catalyst 2950-48
switches and each is acting more as a hub than a switch (all traffic
can be seen on all ports).  My familiarity with this usually indicates
that the mac table is full and therefore the switch is dropping back
into "hub" mode to ensure delivery of the packets.  However, the most
MAC addresses I've seen in the switch tables are 97.  There are entries
for the src and dst MACs in question within these tables so these
switches know these addresses.
As
an example, please reference the attanced image file.  A firewall is
logging syslog data to a host in switch A (sw-a).  It is from a
192.168.102.x address to a 192.168.101.x address.  A host on switch B
(sw-b) sees this traffic.  This host is in the 192.168.101.x network
and is in an access mode switch port.  The switch port that the host is
connected to is not configured to monitor.

Hi Daniel,

As per the daigram attached what i understand is that host connected in swa when wants to reach host connected to swb it wont go to router as both the switches are connted via acces ports on each vlans.

Can you please breif what exactly is the issue you are facing because i am unable to understand the issue in your previous post.

Hope to Help !!

Ganesh.H

0 Helpful

parnelld
Level 1
Level 1
In response to Ganesh Hariharan

‎04-19-2010 07:20 AM

Hello Ganesh,

I apologize for not being more clear.  My mind and fingers do not always work in harmony.

Here is an example...A host (in this instance a firewall) that is connected to switch A is trying to send syslog data to a host that is also in switch A.  The firewall is in the 192.168.102.0/24 network and the syslog is in the 192.168.101.0/24 network.  The Cat 2950 won't route between the two networks (hence why there is a router attached to the switch).  The physical routing is something like...

Host A (Firewall) transmits data to Host B (syslog server).

1.  The data passes through switch A.

2.  Since it is destined for an address in the 192.168.101.0/24 network, the switch passes the data to router A (interface F0/1).

3.  The router routes the data out of interface F0/0 to switch B.

4.  Switch B has host B's MAC address in its address table and forwards the packet back to switch A (and to every other port on switch B).

5.  Switch A then forwards the packet to the syslog server (and to every other port on switch A).

This is just one example.  This "broadcast" of data also happens between hosts within the same network and connected to the same switch.

I thought that moving the F0/0 connection from Switch B to Switch A might correct the problem but don't see how it would affect the problem of hosts in the same network on the same switch broadcasting to all ports.

0 Helpful

shailesh.h
Level 1
Level 1
In response to parnelld

‎04-19-2010 08:39 AM

Good explanation of the problem with what are you expecting. My view would be

  1. Theortically no change in topology eventhough you change the router connection to sw-a
  2. I would suggest to get few logging on the switch
  3. check one sample trace with debug command on the router. This will give you more detail flow how it's happening.
  4. check the re-fresh rate of mac address table.. if you suspect you can change the default time of re-fresh to your table would be most updated on switches
0 Helpful

parnelld
Level 1
Level 1
In response to shailesh.h

‎04-19-2010 09:30 AM

I ran the debug logging earlier on the switch (switch A) and got nothing (see below) from a trace from the firewall to the syslog host.

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level warnings, 0 messages logged
    Buffer logging: level debugging, 430 messages logged
    Exception Logging: size (4096 bytes)
    File logging: disabled
    Trap logging: level debugging, 1421 message lines logged

Log Buffer (4096 bytes):

001421: *April 19 08:21:12: %SYS-CLUSTER_MEMBER_1-5-CONFIG_I: Configured from console by on vty0 (192.168.101.xxx)
001422: *April 19 08:22:15: %SYS-CLUSTER_MEMBER_1-5-CONFIG_I: Configured from console by on vty0 (192.168.101.xxx)

I plan to move the line in the router (F0/0) from switch B to switch A in the morning (so I appreciate your advice and concurrence on this one).

The mac-address-table aging-time is set to 14400 (default, as you know, is 300).  Right now the table has 144 addresses in it (far from the maximum).

I also plan to put the router in debug mode.  However, because of current use I'll have to wait to do so in the morning (after I move the patch cable).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card