Solved: L2 isue in the same VLAN

alhabesha · ‎01-01-2012

I have the following scenario and problem.

Servers in the same vlan are inteconnected using cisco 6509.

IP address of the servers; 172.18.1.11, 172.18.1.10, 172.18.1.15, 172.18.1.50. They all run smpp services..Due to some smpp connection isue report, I have captured packets on the server (172.18.1.50) for analysis. I have found that other servers smpp traffic transaction(like from 172.18.11.15 to 172.18.1.11) also reach on this server which is only supposed to see traffic to or from 172.18.1.50. Source and destination MAC address are even for the other servers (for 172.18.11.15 and 172.18.1.11)

I checked on the switch port where the server 172.18.1.50 is connected and only MAC address of this server is associated. how the other servers smpp transactions can reach on the NIC of this server? I highly appreciate any comments on this issues.

Thank you in advance.

ohassairi · ‎01-01-2012

jemal

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

View solution in original post

viswamin · ‎01-01-2012

Hi Jemal,

Can you please look into the Mac address table and find out how the traffic flows between Server_B and server_C. Look for the complete path. it can span across multiple switches as well. so look out for the complete path along with their interface names.

In case if you see the interface where your Server_A is connected , on the transit path, then it is highly possible that you might see the packet flowing between Server_B and server_C.

The complete flow analysis would help to narrow down the problem better.

just my 2 cents

-Vijay

View solution in original post

alhabesha · ‎01-01-2012

it seems that 6509 switch is acting like hub. Any recomendation or comments is so well come.

jimmysands73_2 · ‎01-01-2012

Are the 6509 ports switchports or routed? A am assuming sw ports.

Your post never mentions vlans or subnets, in that case, all broadcast traffic would be seen w/o any additional configuration.

alhabesha · ‎01-01-2012

All are switch ports. One of the switch port configuration connected to the server has the following configuration.

interface GigabitEthernet7/44

description server_A

switchport

switchport access vlan 101

switchport mode access

!

The other ports in the same VLAN has also the same configuration.

The isue here is Server_A can see the unicast traffic between Server_B and Server_C. Server_A is supposed to recieve only either Unicast traffic to Server_A or broadcast traffic in the same VLAN. But it is recieving othe traffic in the same vlan.

thank you for your support.

rsimoni · ‎01-01-2012

what you describe seems to be unkown unicast mac flooding which happens when a switch does not have in its mac table the destination mac.

check on the 6509 if, at the time the capture is taken (so you have to redo it if you don't have this info now), the mac addresses of the IP's you unexpectedly see in the capture are present in mac address table of your switch in vlan101.

In general the behavior you see is normal as a NMS station polls a list of hosts (servers in your case) at given interval. If such IP addresses are not present (or don't answer) their IP addresses are not resolved by ARP in mac addresses, so all the switches receiving such frames can only flood all the ports of the destination vlan.

regards,

Riccardo

alhabesha · ‎01-01-2012

I took the capture again and still the isue is there. In this problem, the switch know all MAC address of the servers and associated to the ports where they are connected. Server_A is on port GI7/44, Server_B is on port Gi1/17 and Server_C is on port Gi1/44. On the capture file, Server_A can see traffic between Server_B and Server_C like they are connected by HUB.

ohassairi · ‎01-01-2012

jemal

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

ohassairi · ‎01-01-2012

i can imagine your servers are using multicast MAC addresses because of clustering for example.

can you confirm if you are using some clustering or loadbalancing....and what are the MAc address destination.

by default the switch will broadcast the multicast

alhabesha · ‎01-01-2012

Thank you ohassairi.

Source and destination MAC address of the servers are as below which is seen on the server with MAC address of

HewlettP_ba:fe:ce (b4:99:ba:ba:fe:ce). I didn't see any multicast address on the frame captured.

.

Destination: IntelCor_7d:24:7d (00:15:17:7d:24:7d)

Source: Oracle_d7:38:84 (00:14:4f:d7:38:84).

Regards,

Jemal

viswamin · ‎01-01-2012

Hi Jemal,

Can you please look into the Mac address table and find out how the traffic flows between Server_B and server_C. Look for the complete path. it can span across multiple switches as well. so look out for the complete path along with their interface names.

In case if you see the interface where your Server_A is connected , on the transit path, then it is highly possible that you might see the packet flowing between Server_B and server_C.

The complete flow analysis would help to narrow down the problem better.

just my 2 cents

-Vijay

alhabesha · ‎01-10-2012

Actually servers with two or more interfaces were replying for ARP with different MAC addresses of thier interfaces with single IP address even if they have different IP Address on the interface. Parameter change on the servers to associate a single IP address to single interface fixed the problem.

Thank you all for your inputs.

ohassairi · ‎01-02-2012

do you have any SPAN configuration: look for monitor session ......in the config file

viswamin · ‎01-02-2012

oh.. yes.. SPAN Configuration could also result in getting a copy of every packet..

Thanks for reminding me :-)

-Vijay