Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
2
Replies

ICMP being broadcast out all switchports

Phil Bradley
Level 4
Level 4

‎12-06-2014 05:00 PM - edited ‎03-10-2019 12:29 PM

I have been analyzing packets with Wireshark and noticed that I occasionally have ICMP replies that are not destined to my switchport. This actually occurs on all switchports so it looks like it is a broadcast. However, the frame destination address is the address of the client that requested it. The only thing I have noticed is that this occurs with ip addresses that are being used as an ip helper. I am using Cisco 3750G with IP base and SVI's. Is this possibly a bug?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎12-06-2014 06:25 PM

I do not understand the part of the explanation that says that this occurs with ip addresses that are used as helper-address. Could you clarify (and perhaps include an example)?

 

But I do have a suggestion of how to investigate this issue. Look in the wireshark capture for this packet and get the destination MAC address. Then look in the switch mac address table for that mac address. I suspect that the destination mac address is not in the mac address table. If this is the case then the explanation for your issue is an expected behavior and not a bug. When a switch attempts to forward a frame and the destination mac address is not in the switch mac table then the behavior of the switch is to forward the frame to every port in the vlan (with the exception of the ingress port).

 

HTH

 

Rick

HTH

Rick
0 Helpful

Phil Bradley
Level 4
Level 4
In response to Richard Burts

‎12-06-2014 07:24 PM

Hello Rick. I am seeing the ICMP message destined to this address on all ports multiple times. The mac address is indeed in the cam table and I have room for over 5000 more addresses so this doesn't appear to be an issue due to the cam table being full. I would expect the ICMP to get flooded one time to learn the MAC but no more than once when it has learned the address unless it has aged out or their is no more room in the CAM table.

It probably is coincidence but the source IP address for the ICMP is also a ip helper address in the this VLAN as well for DHCP purposes. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card