10-01-2009 01:08 PM - edited 03-06-2019 07:58 AM
I created different VLANs on my C4948/C2960 switches. When I run the wireshake/ethereal on one server to cpature the packets, I can see all the packets coming in and out from other hosts in the same VLAN.
Is that normal? I think the packets are isolated by different switch port, it shouldn't go to other ports which are not the destination port expcept ARP or some other broadcast packets.
Please correct me. Thank you.
10-01-2009 05:51 PM
If you look at path of packet, when packets enter, first thing looked is destination MAC address. If this is not in mac address table ( for some reason ), the packets are flooded to all hosts in same VLAN. This is unknown unicast flooding.
Here is very good reference with example. http://www.ciscopress.com/articles/article.asp?p=336872
10-02-2009 01:11 PM
use wireshark and apply a filter like this
Not arp and not llc and not eigrp and not hsrp and not
just keep adding all of broadcast and multicast protocols you see. Everyting else should be unicast.
After a few minutes of capturing click "statistics" and then click on "conversations" sort by bytes and see what all the traffic has in common probable the same HSRP destination address. find out what the commonality is and let us know or review the ARM and CAM table to see if the destnation address is constantly missing from CAM. I know of a bug on 6500s that does this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide