cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
3
Replies

IPV6 Flood Storm?

cheapcco1
Beginner
Beginner

We are experiencing an issue that maybe this forum can shed some light.

Every morning for about 30 minutes my users complain of a network slowdown.  We just installed a 6500 Cisco core Switch about two months ago and this is when the issue "started".  When I sniffed a port of one of the users, I see a lot of this traffic during that timeframe:

09:20:13.809081 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (1448|1448)

09:20:13.809207 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (2896|1448)

09:20:13.809329 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (4344|1448)

09:20:13.809452 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (5792|1448)

09:20:13.809576 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (7240|1448)

09:20:13.809698 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (8688|1448)

09:20:13.809820 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (10136|1448)

09:20:13.809944 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (11584|1448)

09:20:13.810068 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (13032|1448)

09:20:13.810189 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (14480|1448)

09:20:13.810312 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (15928|1448)

09:20:13.810435 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (17376|1448)

09:20:13.810557 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (18824|1448)

09:20:13.810680 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (20272|1448)

09:20:13.810803 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (21720|1448)

09:20:13.810929 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (23168|1448)

09:20:13.811051 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (24616|1448)

09:20:13.811175 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (26064|1448)

09:20:13.811297 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (27512|1448)

09:20:13.811419 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (28960|1448)

09:20:13.811542 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (30408|1448)

09:20:13.811665 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (31856|1448)

09:20:13.811788 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (33304|1448)

09:20:13.811821 IP6 fe80::d42c:1507:73:5543 > ff0e::e70c:1582: frag (34752|659)

I don't know a lot about ipv6 so I wasn't sure exactly what this was - a storm, multicast, etc.  Thanks for any help or information.

-J

3 Replies 3

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi Jennifer,

This indeed appears to be a multicast of some sort - the FF00::/8 prefix is an IPv6 multicast prefix. I do not recognize the multicast address, though. Do you have an option of capturing the traffic via Wireshark and post the capture file here? We could perhaps find out what kind of multicast stream is being sent here.

Best regards,

Peter

Yes, I can do that. It's predictable so I can post it after Monday's slowdown. Thank you!

Also, what are your thoughts on on this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25sg/configuration/guide/uniflood.html

could this help or cause other issues?

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello Jennifer,

Great. I am looking to see the capture - but as Monday is the Christmas Eve, I do not suppose you should be sniffing packets on that day

Regarding the unicast/multicast flood blocking, I do not recommend activating it as of yet. We do not know what could get broken if we blocked this multicast.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers