Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
7
Replies

Unicast Flooding

rc.castillo
Level 1
Level 1

‎10-14-2009 08:05 PM - edited ‎03-06-2019 08:08 AM

Hi,

I just want to know about unicast flooding. I am experiencing this scenario wherein when i put a laptop on a port on a switch and start sniffing the network, i am seeing a unicast traffic coming from other switches but within the same vlan. I am not using any span sessions. i just plug a laptop and start sniffing. The unicast traffic that im seeing is a valid one.

Hope you could help. thanks.

Labels:
0 Helpful
7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-14-2009 11:33 PM

Hello Roselyn,

verify if the destination MAC address is really unknown on switches CAM tables.

only case when unicast flooding should happen is when the destination host has not started to talk;

in this case someone sending traffic to it, because it has the MAC address in its ARP table (arp timeout can be of hours, CAM timeout is 300 seconds).

so some unicast flooding can happen in an healthy network.

Different case if a MAC address flooding attack is happening.

if the CAM tables are full of random mac addresses, legitimate mac addresses can be unicast flooded because there is no space for them in the CAM table.

you can check this on IOS based switches using

sh mac address-table count

or

sh mac-address-table count

(version dependent)

Hope to help

Giuseppe

0 Helpful

rc.castillo
Level 1
Level 1
In response to Giuseppe Larosa

‎10-14-2009 11:44 PM

Hi,

When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches (i.e. ftp, smb)

Thanks.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to rc.castillo

‎10-15-2009 12:01 AM

Hello Roselyn,

>> When you have unicast flooding, regardless of what protocol, are you going to see traffics from other switches

yes, within the same Vlan is possible it is a single broadcast domain that spans over multiple L2 switches.

Hope to help

Giuseppe

0 Helpful

rc.castillo
Level 1
Level 1
In response to Giuseppe Larosa

‎10-15-2009 12:15 AM

Hi,

What if i am only seeing a specific protocol (smb)? would you consider it as a unicast flooding or maybe it is the behavior of the server that causes this.

thanks.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to rc.castillo

‎10-15-2009 12:23 AM

Hello Roselyn,

it can be both at the same time.

From a networking point of view frames with unknown unicast destination are flooded.

The root cause can be a server having a wrong ARP entry for example.

I would check the default gateway for the vlan using

sh ip arp | inc

and I would compare this with the IP destination address on the captured packet

Hope to help

Giuseppe

0 Helpful

gnijs
Level 4
Level 4
In response to Giuseppe Larosa

‎10-15-2009 06:20 AM

A common cause of unicast flooding can also be assymetric routing. Since you are talking about SMB (file transfer protocol), you might have this problem. See http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml

0 Helpful

rc.castillo
Level 1
Level 1
In response to gnijs

‎10-26-2009 05:07 AM

Hi Sir,

my problem is that, even when there is no span session, when i plug my pc to a port the same vlan with my server's, i can see that the other server's is sending a unicast to a specific server. This behavior is not existent all the time. The traffic that i am seeing is about SMB. but when im doing an ftp to this specific server i cant see any ftp traffic. Also,the location of this server's are from two different switches.

Hope you could help. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card