Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
2
Replies

Question on Cisco 5K flooding unexpectantly.

JoeDish30242
Level 1
Level 1

‎04-09-2021 08:28 AM - edited ‎04-09-2021 08:34 AM

I am scratching my head to understand the condition of why a 5K appears to be flooding traffic across a vlan for MAC addresses it should have learned and be in its active forwarding table.

 

I have a 7K routing layer (2) cross connected to a 5K switching layer (2).  I have around 5K mac addresses total across 60 vlans which are routed within the 7Ks.  I have a host with wireshark running on a machine attached to vlan 251 as an access port.  Nothing mirrored, just capturing traffic on its lan port.  I should only be getting traffic for itself and anything on the vlan broadcast, multicast or flooded.  My concern is the floodiing, see attached view of wireshark output.  My mac aging timers are for 4 hours, but I have tried different settings from default and this behavior continues.  I have monitored for this particular host mac and at a minimum it broadcasts each 20 minutes for its default gateway.  In packet 37906 we see a src mac received by my machine of 16e0, that has been broadcast.  At that point at a minimum the switch should know the port that mac comes in and no longer need to flood.  At packet 38234 (22 seconds later), we see traffic that must have been flooded for it to be sent to an unrelated port to that mac 16e0.   I see this a few times per day for short periods and I cannot reason out a cause.  I am running - n5000-uk9.7.3.5.N1.1.bin and have 12 Fexs dual homed to the 5K where hosts are attached.  Any thoughts or ideas would be appreciated. 

Labels:
Preview file
265 KB
0 Helpful
2 Replies 2

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-09-2021 08:48 AM

Without really understanding your topology, cannot say whether yours might be a case of unicast flooding due to different MAC and ARP timeouts values and asymmetric data paths, but if you're somewhat unfamiliar with this possible issue, you might wish to review: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

0 Helpful

JoeDish30242
Level 1
Level 1
In response to Joseph W. Doherty

‎04-09-2021 10:05 AM

Definitely there could be some asymmetric paths, with many vlans and some dual home hosts in the environment.  I have seen what is described in the article.  The problem I have with that here, is I see traffic from the hosts where traffic is being flooded, directly before the flooding continues.  Getting any traffic from that host as a source MAC on this same vlan, should mean the switch should learn the MAC address and port for that MAC.  After that time and before a mac aging timer expires, traffic should not flooded.  That is why I highlighted the traced packets, showing RX of a broadcast packet from that mac just seconds before traffic appears flooded to that MAC.  Are there some corner cases with the Nexus where a MAC would be per-maturely aged out or perhaps not learned at all?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card