cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6447
Views
0
Helpful
8
Replies

How to stop flooding

Erik Molenaar
Level 1
Level 1

Hi all

In our 3-layered cisco campus network we have several VTP domains. One of em has several 2960 access layer switches in stacks, a distribution layer (2x 3550 with L2 interconnects and HSRP) to form the L2/L3 boundary, and both have their own uplink to their own core switch (6500's - only L3).

Last week i found out that an LRE device - also in the access layer of this VTP domain - was suffering from traffic being flooded onto the access layer. While sniffing, it appeared to be caused by a stream of traffic from outside the VTP domain towards a machine within the VTP domain. Not very much but enough to kill the LRE line.

I looked in the distribution layer and on one of the 3550's i missed the MAC entry for the user's PC in the VTP domain. Pinging the PC solved the problem - the MAC table got populated with the right MAC address and that stopped the flooding.

In order to prevent this from happening again i also increased the MAC aging timer to 14400 seconds - making it equal to the ARP timeout value. Like i found in a cisco document.

Now i find this happening again. The MAC address of the PC is only in one 3550 and traffic is flooded into the VTP domain again.

Has anyone seen this before? Could this have something to do with asymmetric routing paths from the distribution layer to and from the core?

And what can be done to stop it? Apart from making static arp entries in de distribution layer...

Erik

8 Replies 8

andrew.prince
Level 10
Level 10

Since you have many VTP domains - enable VTP pruning.

HTH>

Hi,

If this is unknown unicast mac flooding your experiencing it means your VTP domains are in the same broadcast domain and that's why this flood traverses your VTP domain so this is normal behaviour.

You could define different broadcast domains to restrict range of flooding.

If you use vtp pruning you must issue the command on each vtp server in each domain. but if you have only one vlan then doing this will defeat the normal behaviour of the switch and you may encounter further communication problems.

Regards.

Alain.

Don't forget to rate helpful posts.

In that case - he should enable storm control on the uplinks to limit the amount of broadcasts @ pps or link bandwidth.

Thanks! Sorry but to my understanding a broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments. That is, a Layer 2 network.

Since my L2 network terminates at a routing interface (ie. the vlan interface) of my distribution switch, the different VTP domains cannot be part of the same broadcast domain. And the switches involved can - by design - only be part of one VTP domain. Furthermore the VTP domains in my network are separated by a layer 3 core.

The only reason why my distribution switch is flooding is because there is no entry in the MAC database. As soon as an ARP request has passed and the MAC address is known, unicast flooding stops.

VTP pruning wouldn't solve it because the vlan that is involved in flooding streches past the LRE link.

I would rather solve the source of the problem, the fact that one of the distribution switches is not aware of, or forgets about the MAC address of the PC in the VTP domain.

Erik

Which link is blocking between your 2960s and the 3550s ? - is it one of the uplinks or the interconnect. Traffic going from the PC to the core will go via the HSRP active switch and this switch should have the mac of the PC. If the return traffic from the core comes via the other 3550 switch then because it is routed from the core to the 3550 switch then it will come in on a different L3 interface so the 3550 should then arp out for the PC mac and see it as reachable via the L2 interconnect (assuming the interconnect is forwarding).

You are correct in what you say about VTP domains, not relevant here there are separated by L3 core.

Jon

I got the wrong end of the stick - totally mis-understood what was happening, but have you read this

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

???

No problem guys. I feel honoured getting your answers! It was probably due to my description of the problem.

Jon you say "the 3550 should then arp out for the PC mac", but i don't see this happening. Only after i issue a PING from the 3550 to the PC it does ARP and all is ok. The MAC address of the PC is found behind port channel that forms the interconnect to the other 3550.

Both 3550's are running MST, instance 1 for vlans 1 - 49 and instance 2 for vlans 50 - 100. (we don't have that many - it's just yet another range)

switch 3550-1 is root bridge for MST1 - and - switch 3550-2 is root bridge for MST2

Vlans 1 - 49 are HSRP active on 3550-1 - and - Vlans 50 - 100 are HSRP active on 3550-2 (shouldn't that better be the other way around?)

I noticed some switch misconfiguration in the access layer that should first be addressed (some MST / PVST inconsistency and pre-standard BPDU's). I think i'd better handle with that first before going on troubleshooting this.

Erik

Hi,

You're right this unknown unicast flooding is in your VTP domain,  I misunderstood the problem.

Regards.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card