cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
5
Helpful
12
Replies

L2 isue in the same VLAN

alhabesha
Level 1
Level 1

I have the following scenario and problem.

Servers  in the same vlan are inteconnected using cisco 6509.

IP address of the servers; 172.18.1.11, 172.18.1.10, 172.18.1.15, 172.18.1.50. They all run smpp services..Due to some smpp  connection isue report, I have captured packets on  the server (172.18.1.50) for analysis. I have found that other servers smpp traffic transaction(like from 172.18.11.15 to 172.18.1.11)  also reach on this server which is only supposed  to  see  traffic to or  from 172.18.1.50. Source and destination MAC address are even for the other servers (for 172.18.11.15 and 172.18.1.11)

I checked on the switch port where the server 172.18.1.50 is connected and only MAC address of   this server is associated. how the other servers smpp transactions  can reach on the NIC of this server? I highly appreciate any comments on this issues.

Thank you in advance.

2 Accepted Solutions

Accepted Solutions

jemal

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

View solution in original post

Hi Jemal,

Can you please look into the Mac address table and find out how the traffic flows between Server_B and server_C. Look for the complete path. it can span across multiple switches as well. so look out for the complete path along with their interface names.

In case if you see the interface where your Server_A is connected , on the transit path, then it is highly possible that you might see the packet flowing between Server_B and server_C.

The complete flow analysis would help to narrow down the problem better.

just my 2 cents

-Vijay

View solution in original post

12 Replies 12

alhabesha
Level 1
Level 1

it seems that 6509 switch is acting like hub. Any recomendation or comments is so well come.

jimmysands73_2
Level 5
Level 5

Are the 6509 ports switchports or routed?  A am assuming sw ports.

Your post never mentions vlans or subnets, in that case, all broadcast traffic would be seen w/o any additional configuration.

All are switch ports. One of the switch port configuration connected to the server has the following configuration.

interface GigabitEthernet7/44

description server_A

switchport

switchport access vlan 101

switchport mode access

!

The other ports in the same VLAN has also the same configuration. 

The isue here is Server_A can see the unicast traffic between Server_B and Server_C. Server_A is supposed to recieve only either Unicast traffic to Server_A or broadcast traffic in the same VLAN. But it  is recieving othe traffic in the same vlan.

thank you for your support.

what you describe seems to be unkown unicast mac flooding which happens when a switch does not have in its mac table the destination mac.

check on the 6509 if, at the time the capture is taken (so you have to redo it if you don't have this info now), the mac addresses of the IP's you unexpectedly see in the capture are present in mac address table of your switch in vlan101.

In general the behavior you see is normal as a NMS station polls a list of hosts (servers in your case) at given interval. If such IP addresses are not present (or don't answer) their IP addresses are not resolved by ARP in mac addresses, so all the switches receiving such frames can only flood all the ports of the destination vlan.

regards,

Riccardo

I took the capture again and still the isue is there. In this problem, the switch know all MAC address of the servers and associated to the ports where they are connected. Server_A is on port GI7/44, Server_B is on port Gi1/17 and Server_C is on port Gi1/44.  On the capture file, Server_A can see traffic between Server_B and Server_C like they are connected by HUB.

jemal

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

Thank you ohassairi.

Source and destination MAC address of  the servers  are as below which is seen on the server with MAC  address of

HewlettP_ba:fe:ce (b4:99:ba:ba:fe:ce). I didn't see any multicast address on the frame captured.

.

Destination: IntelCor_7d:24:7d (00:15:17:7d:24:7d)

Source: Oracle_d7:38:84 (00:14:4f:d7:38:84).

Regards,

Jemal

Hi Jemal,

Can you please look into the Mac address table and find out how the traffic flows between Server_B and server_C. Look for the complete path. it can span across multiple switches as well. so look out for the complete path along with their interface names.

In case if you see the interface where your Server_A is connected , on the transit path, then it is highly possible that you might see the packet flowing between Server_B and server_C.

The complete flow analysis would help to narrow down the problem better.

just my 2 cents

-Vijay

Actually servers with two or more interfaces were replying for ARP  with different MAC addresses  of thier interfaces with single IP address even if they have different IP Address on the interface. Parameter change on the servers to associate a single IP address to single interface fixed the problem.

Thank you all for your inputs.

do you have any SPAN configuration: look for  monitor session ......in the config file

oh.. yes.. SPAN Configuration could also result in getting a copy of every packet..

Thanks for reminding me :-)

-Vijay

Review Cisco Networking for a $25 gift card