I'm a bit of a newb to the world of networking, so please bear with me.

I work in an environment with many separate vlans spanning several
switches (say about a dozen). Today we had an incident where suddenly
traffic was going ballistic on most ports in the network. Doing a
tcpdump on a particular host on this network, you could actually see
unicast traffic that was neither destined to or coming from the host.
Or, to put it another way, it almost looked like the host was on a hub,
where you could see packets travelling between other hosts on the
network to other destinations.

We shut off some ports where some new windows servers were brought up
today. As soon as those ports were taken offline, then tcpdumps on the
other hosts went to normal (i.e. the only traffic you could see were
broadcasts, or unicasts to and from that host).

Can anyone think of a likely explanation for this?

Please let me know if I'm not making sense!

Thanks in advance,

-S

Switches are able to perform their traffic isolation function by
maintaining lists of which source MAC addresses were seen arriving on
which ports. They then use that information when deciding on a port
to send when it sees that MAC as a destination MAC address.

If a destination MAC address is not in the switch's list, the switch
will send that frame out all ports (in the vlan presumably).

The lists in a switch are of finite size. If there are more source
MAC addresses out there than the switch can track, something has to
give, and it is the traffic isolation.

Perhaps that is what was happening in your situation. Perhaps it was
something else.

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Thanks very much for that analysis Rick. Informative - I'll see if
that could have led to this situation, at least it gives me a starting
point. If anyone else has any thoughts I'd love to hear them.

maethlin <maethlin@yahoo.com> wrote:
> Thanks very much for that analysis Rick.

You are most welcome - if you find you need/want to get deeper into
switches and their behaviour, comp.dcom.lans.ethernet may reach an
audience with deeper knowledge.

rick jones
--
Wisdom Teeth are impacted, people are affected by the effects of events.
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On 2006-03-29, maethlin <maethlin@yahoo.com> wrote:

> I work in an environment with many separate vlans spanning several
> switches (say about a dozen). Today we had an incident where suddenly
> traffic was going ballistic on most ports in the network. Doing a
> tcpdump on a particular host on this network, you could actually see
> unicast traffic that was neither destined to or coming from the host.
> Or, to put it another way, it almost looked like the host was on a hub,
> where you could see packets travelling between other hosts on the
> network to other destinations.

This sounds oddly similar to two things I've come across a few times myself:

- When you see a network switch forward unicast traffic to/from ports that it
should not be emanating from, you could be having an STP (Spanning Tree
Protocol) event where the switch is confused about where to forward traffic.
The behavior I've seen is when a switch lacks a valid forwarding table,
sometimes its' last ditch effort to forward traffic is to forward everything
everywhere, before the inevitable crash.

- Windows years ago had an odd feature that made the NIC card "speak" STP
root bridge advertisements on boot, which really mucks up stable STP
networks since you've got a server NIC advertising all traffic should be
forwarded through it!

Hope this s a little.

/dmfh

----
__| |_ __ / _| |_ ____ __
dmfh @ / _` | ' \| _| ' \ _ / _\ \ /
\__,_|_|_|_|_| |_||_| (_) \__/_\_\
----