cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1259
Views
0
Helpful
8
Replies

VLAN behavior problem

Bob Smith
Level 1
Level 1

I noticed (based on activity lights) that VLAN traffic between two switch ports are being sent to many switch ports. Here's my scenario:

Port 1 is a "mode access" switchport for VLAN 100 (untagged 100).

Port 2 is a "mode access" switchport for VLAN 101 (untagged 101).

Port 5 is a trunk for VLAN 100 and VLAN 101 (tagged 100, tagged 101).

I have the host on Port 1 talking to the host on Port 2. When they are talking to each other (Unicast), I see port 1, 2, and 5 light up, indicating that its also sending the unicast traffic to port 5. I also confirmed this with Wireshark by seeing the unicast traffic between port 1 and 2 while sniffing packets on port 5. Why is it sending traffic to port 5 when the switch is fully capable of figuring out that the hosts are on Port 1 and Port 2?

My understanding in the past with switches is that it builds a CAM table of mac addresses it sees on ports. It's CAM table should tell the switch that the source and destination hosts are on Ports 1 and 2. There's no reason it should also go to 5 since there is no host there.

This isnt a production switch (yet). So I only have three hosts on my network. Here is my config:

interface vlan 100
 ip address dhcp
!
interface vlan 101
!
interface ge1
 switchport mode access
 switchport access vlan 100
!
interface ge2
 switchport mode access
 switchport access vlan 101
!
interface ge5
 switchport trunk allowed vlan add 100,101
!
1 Accepted Solution

Accepted Solutions

Then you are using a router as gateway who exists in port ge5?

If this is true, every communication between your hosts will have to traverse the router  and you will see it over that interface if you are using ge5 as SPAN source.

No, you cannot avoid this behavior. Every time a host detects the destination exists in another subnet it will use its gateway to reach it. Now, if you do not want the frames to traverse trough the ge5 trunk you could use inter-vlan routing if your switch supports routing. 

Best regards!

JC

View solution in original post

8 Replies 8

Carlos Villagran
Cisco Employee
Cisco Employee

Hi Bob!

My guess is that host 1 is trying to ARP the MAC address of its gateway and that request is traversing the trunk since the broadcast frame will be replicated over any interface belonging to vlan 100 (including the trunk).

Therefore all those frames you are watching traversing the trunk should be broadcast frames. Is there a way you can check this with your wireshark?

Hope it helps! Best regards!

JC

I checked and I also see unicast frames on port 5 between host 1 and 2.

Then you are using a router as gateway who exists in port ge5?

If this is true, every communication between your hosts will have to traverse the router  and you will see it over that interface if you are using ge5 as SPAN source.

No, you cannot avoid this behavior. Every time a host detects the destination exists in another subnet it will use its gateway to reach it. Now, if you do not want the frames to traverse trough the ge5 trunk you could use inter-vlan routing if your switch supports routing. 

Best regards!

JC

Its an layer 3 Cisco switch so I'd hope it can do it. Thanks for the help!

Simple solution is to put both ports in the same VLAN; but presumably you have a reason for putting them in separate ones??

If routing is enabled on the switch, then you can have VLAN interfaces on the switch defined with the gateway addresses; and the switch itself can probably do DHCP assignment.  The trunked router may no longer be necessary...?  If so, make sure it's disconnected, or you'd wind up with duplicate gateway addresses.

Okay -- So I think I figured out what's going on (but I don't know what the solution is).

Host 1 (ge1) is 192.168.1.2/24 with a gateway of 192.168.1.1 (vlan 100)

Host 2 (ge2) is 192.168.2.2/24 with a gateway of 192.168.2.1 (vlan 101)

The router at port ge5 is trunked with the two vlans (100, 101). It is 192.168.1.1 and 192.168.2.1.

When Host 1 writes a packet to get to host 2, Its destination MAC is to the gateway (192.168.1.1) since it considers the destination to be on the 192.168.2.x subnet.

This is inefficient, since it can just go to port ge2 to get there. Instead the packet goes to ge5 (vlan1 gateway), then it goes from ge5 (vlan 2 gateway) to ge2.

Is there any way to avoid this or will it always have to go to the gateway?

 

Hi Bob,
Where is your intervlan routing being performed ?
Also are you using HSRP ?
I have seen what you are seeing many times in campus networks known as unicast flooding
Please see this link for more info:-
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html
Hope this helps
Regards
Alex
Regards, Alex. Please rate useful posts.

I am not using HSRP...

The router is a DHCP server for vlan 100 (192.168.1.1) and vlan 101 (192.168.2.1). It sets the gateway as itself when it distributes an IP.

From a host perspective, it makes sense why the packets have to go to the gateway/router every time. The switch is not a router. Host 1 sets a destination MAC address to its gateway which goes to the router on Port 5.

Is there a feature on Cisco switches that allow a switch to accept packets destined for another VLAN? That would allow me to not have to send packets to Port 5 so that they can get rewritten to go to the proper VLAN. I'd rather have my switch do it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco