12-23-2012 06:14 AM - edited 03-07-2019 10:45 AM
We are experiencing an issue that maybe this forum can shed some light.
Every morning for about 30 minutes my users complain of a network slowdown. We just installed a 6500 Cisco core Switch about two months ago and this is when the issue "started". When I sniffed a port of one of the users, I see a lot of this traffic during that timeframe:
09:20:13.809081 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (1448|1448)
09:20:13.809207 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (2896|1448)
09:20:13.809329 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (4344|1448)
09:20:13.809452 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (5792|1448)
09:20:13.809576 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (7240|1448)
09:20:13.809698 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (8688|1448)
09:20:13.809820 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (10136|1448)
09:20:13.809944 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (11584|1448)
09:20:13.810068 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (13032|1448)
09:20:13.810189 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (14480|1448)
09:20:13.810312 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (15928|1448)
09:20:13.810435 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (17376|1448)
09:20:13.810557 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (18824|1448)
09:20:13.810680 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (20272|1448)
09:20:13.810803 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (21720|1448)
09:20:13.810929 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (23168|1448)
09:20:13.811051 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (24616|1448)
09:20:13.811175 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (26064|1448)
09:20:13.811297 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (27512|1448)
09:20:13.811419 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (28960|1448)
09:20:13.811542 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (30408|1448)
09:20:13.811665 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (31856|1448)
09:20:13.811788 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (33304|1448)
09:20:13.811821 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (34752|659)
I don't know a lot about ipv6 so I wasn't sure exactly what this was - a storm, multicast, etc. Thanks for any help or information.
-J
12-23-2012 08:07 AM
Hi Jennifer,
This indeed appears to be a multicast of some sort - the FF00::/8 prefix is an IPv6 multicast prefix. I do not recognize the multicast address, though. Do you have an option of capturing the traffic via Wireshark and post the capture file here? We could perhaps find out what kind of multicast stream is being sent here.
Best regards,
Peter
12-23-2012 09:07 AM
Yes, I can do that. It's predictable so I can post it after Monday's slowdown. Thank you!
Also, what are your thoughts on on this:
could this help or cause other issues?
12-23-2012 09:19 AM
Hello Jennifer,
Great. I am looking to see the capture - but as Monday is the Christmas Eve, I do not suppose you should be sniffing packets on that day
Regarding the unicast/multicast flood blocking, I do not recommend activating it as of yet. We do not know what could get broken if we blocked this multicast.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide