cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
2
Replies

Question on Cisco 5K flooding unexpectantly.

JoeDish30242
Level 1
Level 1

I am scratching my head to understand the condition of why a 5K appears to be flooding traffic across a vlan for MAC addresses it should have learned and be in its active forwarding table.

 

I have a 7K routing layer (2) cross connected to a 5K switching layer (2).  I have around 5K mac addresses total across 60 vlans which are routed within the 7Ks.  I have a host with wireshark running on a machine attached to vlan 251 as an access port.  Nothing mirrored, just capturing traffic on its lan port.  I should only be getting traffic for itself and anything on the vlan broadcast, multicast or flooded.  My concern is the floodiing, see attached view of wireshark output.  My mac aging timers are for 4 hours, but I have tried different settings from default and this behavior continues.  I have monitored for this particular host mac and at a minimum it broadcasts each 20 minutes for its default gateway.  In packet 37906 we see a src mac received by my machine of 16e0, that has been broadcast.  At that point at a minimum the switch should know the port that mac comes in and no longer need to flood.  At packet 38234 (22 seconds later), we see traffic that must have been flooded for it to be sent to an unrelated port to that mac 16e0.   I see this a few times per day for short periods and I cannot reason out a cause.  I am running - n5000-uk9.7.3.5.N1.1.bin and have 12 Fexs dual homed to the 5K where hosts are attached.  Any thoughts or ideas would be appreciated. 

2 Replies 2

Joseph W. Doherty
Hall of Fame
Hall of Fame

Without really understanding your topology, cannot say whether yours might be a case of unicast flooding due to different MAC and ARP timeouts values and asymmetric data paths, but if you're somewhat unfamiliar with this possible issue, you might wish to review: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

Definitely there could be some asymmetric paths, with many vlans and some dual home hosts in the environment.  I have seen what is described in the article.  The problem I have with that here, is I see traffic from the hosts where traffic is being flooded, directly before the flooding continues.  Getting any traffic from that host as a source MAC on this same vlan, should mean the switch should learn the MAC address and port for that MAC.  After that time and before a mac aging timer expires, traffic should not flooded.  That is why I highlighted the traced packets, showing RX of a broadcast packet from that mac just seconds before traffic appears flooded to that MAC.  Are there some corner cases with the Nexus where a MAC would be per-maturely aged out or perhaps not learned at all?

Review Cisco Networking for a $25 gift card