Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

CliffF

40 Posts

35783

May 4th, 2006 15:00

Powerconnect switch stack broadcasting unicast traffic

I am having a problem where I am seeing unicast traffic being broadcast to all ports on all my switches.
 
The sending machine (A) is a mitel pbx. It is located at a remote site. To get to our main office, the traffic is sent over a routed (layer 3) link. The router at our main office is plugged in to a PowerConnect 3448 switch (we'll call it switch 105). Switch 105 connects to our backbone Powerconnect 5324 (Switch 1). All other switches in our stack are connected to Switch 1.
 
The destination system (B) is also a mitel pbx. It too is plugged in to switch 105.
 
The only slightly strange setup with this is that the phone system is on a seperate vlan from the rest of our production network. The router port though can communicate with both the phone and production vlans.
 
I plug in a network analyzer anywhere (without mirroring ports or anything) and I can see the traffic sent from A to B. I do not see any of the return traffic. Looking at the packets verifies that the destination mac and ip addresses are not broadcast addresses. So, why is the traffic being sent out to all ports?
 
 

DELL-Cuong N.

1K Posts

May 4th, 2006 19:00

It's hard to tell without seeing the configuration of everything and seeing exactly how everything is setup.  But here is a guess.  MACs are learned per VLAN per port so if you somehow have VLAN overlapping configured then it is possible that the MAC is learned on one VLAN on receive but the return packet is sent on a different VLAN and so all return packets end up being considered to be unknown unicast and are flooded to all ports.  The switch is never given the opportunity to learn the MAC on the correct VLAN/port.
 
 
Cuong.

CliffF

40 Posts

May 5th, 2006 14:00


Here is my vlan config for the router port...
 
Port : e1
Port Mode: General
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 10
 
Port is member in:
 
Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
 4                Phones               Untagged          Static       
 7           PhoneProdShared           Untagged          Static       
 10             Production             Untagged          Static       

Forbidden VLANS:
Vlan               Name              
---- --------------------------------
Here is the config for the connection to the phone system switch...
 
Port : e8
Port Mode: General
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 4
 
Port is member in:
 
Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
 4                Phones               Untagged          Static       
 7           PhoneProdShared           Untagged          Static       
 10             Production             Untagged          Static       

Forbidden VLANS:
Vlan               Name              
---- --------------------------------
It is the traffic from port 1 to port 8 that is being broadcast.
 

CliffF

40 Posts

May 5th, 2006 15:00

I, unfortunately, do need to keep the vlans the way they are. Can I enter a static address for a workaround?

DELL-Cuong N.

1K Posts

May 5th, 2006 15:00

Yes all untagged traffic from port 1 to port 8 are being flooded when communicating between each others.  I'm assuming that packets entering port 1 and 8 are coming in as untagged from the hosts connected to those ports.  Here is the way you should look at it:

  • So let's say a host A (MAC A) is connected to port 1 and is trying to communicate with a host B (MAC B) on port 8.
  • A packet first enters the switch from host A to port 1 and the packet is sent untagged.  This packet will be automatically be tagged as 10 because of the PVID setting on port 1.  This MAC A is learned on port 1 VLAN 10.  The destination of this packet is for MAC B.
  • So the switch looks to see if there is a MAC B learned on VLAN 10 on the switch.  Since there is no MAC B on any port on VLAN 10 the switch will flood this packet to all ports member of VLAN 10 on the switch (except for the incoming port 1 of course).  So this packet is sent to all ports that are member of VLAN 10 including port 8.
  • The packet arrives at host B which is on port 8.  This host returns a response to host A.  This return packet comes into port 8 to be sent to host A.  Since host B is sending the packet untagged, it is automatically tagged as VLAN 4 because that's the PVID on port 8.
  • The MAC B is learned on port 8 VLAN 4.  The destination of the packet is MAC A.
  • Since the packet is currently on VLAN 4, the switch looks to see if there is a MAC A that's learned on any port that's also a member of VLAN 4.  Remember that MAC A was learned on port 1 but on VLAN 10 only.  So there is no MAC A learned on VLAN 4 on any port.  The switch will then flood the packet to all ports which are member of VLAN 4.
  • So the return packet is sent to all ports member of VLAN 4 which happens to include port 1 and the packet is returned properly to host A.

As you can see the MAC A is learned on VLAN 10 port 1.  The MAC B is learned on VLAN 4 port 8.  Because of the way layer 2 switches work, the way you setup your switch, the MAC is never learned on the same VLAN so the packets are always flooded.

If the two hosts were to tag the packets so they end up on the same VLAN then it would work.  If the PVID on the two ports were the same so that untagged packets are on the same VLAN then it would also work.  However, it maybe that in your special configuration you need these hosts to be on different VLANs but still need to communicate.  In that case you may need to use a layer 3 switch which can route between VLANs if you want to avoid this flooding problem.  If you can't use a layer 3 switch and you need to isolate these hosts but still need to communicate then using VLAN overlapping the way you have it is the only way but then you pay the price with the flooding problem.

Please review the link I provided earlier for more detail on this.

Cuong.

Message Edited by DELL-Cuong N. on 05-05-200611:04 AM

DELL-Cuong N.

1K Posts

May 5th, 2006 18:00

I think that would work.  If you know exactly where the MAC is and what VLAN it should be, you could enter the static MAC on the correct VLAN and port and make it a permanent for the port/VLAN and that will allow the switch to "find" the MAC on the correct VLAN and send the traffic there instead of flooding.  Let me know if it works out for you.

Cuong.

CliffF

40 Posts

June 21st, 2006 17:00

Do I maybe need to assign the mac to the vlan that the router port sends traffic out as (vlan 10)?

CliffF

40 Posts

June 21st, 2006 17:00

Finally got around to doing this....

Here is the command I entered

interface vlan 4
bridge address 08:00:0f:16:e8:ab ethernet e8

e8 is the port the phone switch is connected to, and the mac address is the phone system itself.

I'm still getting the broadcasts though. Did I enter it wrong?

Was this post helpful?

View All

0 events found

No Events found!

Top