Solved: Re: Unicast flooding question

gsaccento2222 · ‎03-21-2024

Hi all!

Long time follower first time poster. I am having some trouble understanding the following topology attached.

My general question is how is it possible that the standby HSRP router gets the return path traffic and is allowed to unicast flood toward the access layer in this topology? From my understanding the links facing the HSRP standby router would be blocked due to STP therefore not allowing unicasts to get propagated down toward the access layer in the event HSRP standby CAM entry expires after 5 minutes.

my assumptions are as follow as the diagram from cisco is a bit ambiguous.

1. The access layer switches and their respective links are all on vlan 2

2.Im assuming STP is in play and would be blocking 3/4 links toward the HSRP standby router

3. If STP is in play and blocking most links facing the HSRP standby router, how can the HSRP standby send unicasts toward the access switches on all links?

Any advice or help on this would be greatly appreciated!

Joseph W. Doherty · ‎03-22-2024

Gotcha! My bad! Thought you were confusing STP with unicast flooding. Misunderstood your question.

Again, your diagram is misleading, it doesn't account for impact of STP and you're assuming which 3 of the 8 uplinks are blocked by STP.

If all 4 access switches had an unblocked right uplink the left L3 switch will still flood to the one active downlink, and if that access switch is not the right most, it will flood to all its other ports, including its right uplink.

Consider if all access switches left uplink wasn't blocked and only the right most switch had both uplinks not blocked. Then the diagram would be accurate, agreed?

View solution in original post

MHM Cisco World · ‎03-21-2024

the topology you share there is three SW but there is no Loop to make STP BLK one port.

MHM

gsaccento2222 · ‎03-22-2024

@MHM Cisco World

Thank you for the reply! I am a bit confused by your response however!

It looks like the 4 access switches are carrying vlan 2 up to both DISTRO switches. I am confused how this would not result in some ports being set to BLK. I am also labbed this up simply and when i have 4 access switches going to 2 distros i get 3 BLK links out of 4 to the standby / secondary root bridge.

Am i missing something?

Thank you!

MHM Cisco World · ‎03-22-2024

indeed, after I make double check to topology you share and run small lab there is one port and ONLY ONE PORT NEED TO BLK TO BREAK THE LOOP.

gsaccento2222 · ‎03-22-2024

@MHM Cisco World

right, I essentially did the same lab as you did but with 4 access switches instead of the 2 you did in your diagram. Thank you for taking the time to share this with me.

Back to the original question. In the diagram from cisco (the one I attached), if the return traffic is sent to the HSRP standby router due to ECMP and the links facing vlan 2 (the 4 links toward the access later) how can it send unknown unicast traffic to all 4 access switches? My understanding is that with 3 out of the 4 links blocked, the unknown unicast traffic will be sent out of all ports that are in FWD and not BLK mode.

MHM Cisco World · ‎03-22-2024

The same path the hsrp pass between two core SW,

The hsrp use multicast and flood through all FWD port (sure not through BLK)

The unicast is same flood and since we agree that only one port is BLK the SW send unknown unicast via FWD to other SW and other SW also flood it via it Port except port it received from

This make L3sw flood unknown to all SW in stp domain.

MHM

David Ruess · ‎03-22-2024

Since we don't have a config you can lab this up which you have done. Now print or get a screenshot of the diagram and log into every switch and do a show spanning-tree vlan 2. This will show you what ports are blocked. STP should NOT blackhole traffic (unless its a really crappy L2 design), and even then I'd be skeptical. Once you figure out the blocking ports you will see the path the packets take. It may not be the most direct path but it will get to the devices.

-David

Joseph W. Doherty · ‎03-22-2024

Your problem in understanding has much to do with the diagram, which doesn't make clear what's happening, which is . . .

Off net (diagram's upstream) traffic is going to the right L3 switch, which routes it elsewhere. In the diagram some off net, VLAN2, host. Follow the blue lines.

That host responds with its traffic going to the left L3 switch. Follow the orange lines.

The diagram mentions the left L3 switch's CAM timer has timed out but doesn't mention its ARP timer has not. So at L3, the L3 switch has the MAC for the PC shown on the right, and can build a frame to send the packet to that host, but the L3 switch doesn't have an active MAC entry for what port the destination MAC has been seen on (as a src MAC), so if floods each frame to all VLAN ports. (Same as it does anytime it doesn't know the destination port seen for a src MAC.)

Although the destination is sending new frames, that only refreshes the CAM on that host's access L2 switch and on the active gateway L3 switch.

This is also why, the other access L2 switches flood to all their ports, but the host's access switch only transmits on the host's connected ports. Again, look carefully at the orange lines.

Your diagram is a variation of "Cause 1: Asymmetric Routing", which also references "Case Study #5: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers that run HSRP)".

I recall first time I studied this, it seemed difficult to wrap one's mind around it, but the key to understanding the problem is CAM timers and ARP timers.

Initially, and when the ARP timer expires on the left L3 switch, the switch will ARP the destination IP, and the host will respond to the ARP request. This sets both the ARP timer and each transit switch's CAM timer.

If the ARP timer expires before the CAM timer, unicast flooding won't occur. But if the CAM timer expires first, than you can get unicast flooding.

Again, this flooding is the same flooding for any MAC not in the CAM, but normally you don't see it for unicast packets other than the initial packet, at least for two way symmetric traffic flows. You can also see this issue for unidirectional L2 flows.

gsaccento2222 · ‎03-22-2024

Joseph,

First off thank you for your response. I have been a long time fan of your posts and feedback to the community. I have learned a great deal from your posts over the years and I appreciate your dedication to this community.

I believe I have a good understanding of why the left L3 switch must flood via unknown unicast. As you mentioned eloquently, the L3 switch on the left (potentially secondary root bridge) has the ARP information to build the L2 header but when it comes to its L2 functionality, it has no option but to flood to the final destination as the destination MAC has either aged out or hasn't received the traffic.

My confusion (and possibly lack of fully understanding) is why the left L3 switch is allowed to flood all 4 links into the access layer. I am taking an assumption by saying if all access layer switch links are L2 and are either access vlan 2, or trunked allowing vlan 2, then some links facing the left L3 switch must be blocked. I believe STP would block the majority of the links facing the secondary root bridge therefore only allowing one to FWD traffic.

If my assumptions are correct, when the return traffic is sent from the outside world, hits the left L3 switch, does its MAC rewrite as part of its L3 functionality, it would then flood out all ports that are allowed and are not in BLK. I guess im overall confused how all links in this topology are set to STP FWD to allow egress traffic to router to the EAST portion of the topology and then have no issues flooding the full WEST side of the topology on ingress.

Again, thank you for your time and your response.

Joseph W. Doherty · ‎03-22-2024

Gotcha! My bad! Thought you were confusing STP with unicast flooding. Misunderstood your question.

Again, your diagram is misleading, it doesn't account for impact of STP and you're assuming which 3 of the 8 uplinks are blocked by STP.

If all 4 access switches had an unblocked right uplink the left L3 switch will still flood to the one active downlink, and if that access switch is not the right most, it will flood to all its other ports, including its right uplink.

Consider if all access switches left uplink wasn't blocked and only the right most switch had both uplinks not blocked. Then the diagram would be accurate, agreed?

gsaccento2222 · ‎03-23-2024

Joseph,

You did a great job of breaking this down for me. The fact that this diagram does not mention who the STP root bridge is what led me to the confusion I had.

"Consider if all access switches left uplink wasn't blocked and only the right most switch had both uplinks not blocked. Then the diagram would be accurate, agreed?"

This helped me with exactly what I was thinking would happen if the path of data traffic preferred the WEST side of the topology over the EAST side despite the EAST side being the HSRP active router.

Thank you so much for the excellent support and clarification!!

Joseph W. Doherty · ‎03-23-2024

Yep, you got it!

Basically, you assumed what links would be blocked, mostly by assuming the active gateway device would also be the root bridge (which isn't a bad presumption, but the diagram doesn't tell us that - of course, it doesn't tell us it's not either - so, that's a reason why the diagram is misleading - i.e. depending on STP blocked links, you could get the results the diagram indicates, but you're quite right, in that you might not too - so, indeed the diagram can lead to confusion).

Again, my bad, in that I didn't take enough time to properly understand your original question. (Your follow-up reply made your question, to me, clear.)