Showing results for 
Search instead for 
Did you mean: 

Question on Cisco 5K flooding unexpectantly.


I am scratching my head to understand the condition of why a 5K appears to be flooding traffic across a vlan for MAC addresses it should have learned and be in its active forwarding table.


I have a 7K routing layer (2) cross connected to a 5K switching layer (2).  I have around 5K mac addresses total across 60 vlans which are routed within the 7Ks.  I have a host with wireshark running on a machine attached to vlan 251 as an access port.  Nothing mirrored, just capturing traffic on its lan port.  I should only be getting traffic for itself and anything on the vlan broadcast, multicast or flooded.  My concern is the floodiing, see attached view of wireshark output.  My mac aging timers are for 4 hours, but I have tried different settings from default and this behavior continues.  I have monitored for this particular host mac and at a minimum it broadcasts each 20 minutes for its default gateway.  In packet 37906 we see a src mac received by my machine of 16e0, that has been broadcast.  At that point at a minimum the switch should know the port that mac comes in and no longer need to flood.  At packet 38234 (22 seconds later), we see traffic that must have been flooded for it to be sent to an unrelated port to that mac 16e0.   I see this a few times per day for short periods and I cannot reason out a cause.  I am running - n5000-uk9.7.3.5.N1.1.bin and have 12 Fexs dual homed to the 5K where hosts are attached.  Any thoughts or ideas would be appreciated. 

2 Replies 2

Joseph W. Doherty
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Without really understanding your topology, cannot say whether yours might be a case of unicast flooding due to different MAC and ARP timeouts values and asymmetric data paths, but if you're somewhat unfamiliar with this possible issue, you might wish to review:

Definitely there could be some asymmetric paths, with many vlans and some dual home hosts in the environment.  I have seen what is described in the article.  The problem I have with that here, is I see traffic from the hosts where traffic is being flooded, directly before the flooding continues.  Getting any traffic from that host as a source MAC on this same vlan, should mean the switch should learn the MAC address and port for that MAC.  After that time and before a mac aging timer expires, traffic should not flooded.  That is why I highlighted the traced packets, showing RX of a broadcast packet from that mac just seconds before traffic appears flooded to that MAC.  Are there some corner cases with the Nexus where a MAC would be per-maturely aged out or perhaps not learned at all?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: