1

In the network we have a few vlans but at the moment I was investigating vlan2 which carries the most traffic. When tcpdumping on the eth0.2 interface, I see a lot of packets arriving which are not addressed to, nor coming from the server. I checked this on several servers in the network and they all have the same issues.

In short, our switches don't switch the traffic but threat it like they are a hub. Can you tell me what settings on the dell poweredge 6248 should prevent this behaviour?

UPDATE:

I added some traffic I captured from the host. The ip address of the host is 192.168.3.232

192.168.3.248.80 > 192.168.62.102.26590:
192.168.3.232.35311 > 192.168.41.246.11211:
192.168.3.232.13412 > 192.168.19.200.3306:
192.168.3.232.35311 > 192.168.41.246.11211:
192.168.3.232.35311 > 192.168.41.246.11211:
192.168.3.234.12958 > 192.168.42.27.11211:
192.168.14.32.34077 > 192.168.19.200.3306:
192.168.3.232.36489 > 192.168.41.246.11211:
192.168.14.32.34077 > 192.168.19.200.3306:
192.168.14.9.42221 > 192.168.14.1.9312:
192.168.14.9.42221 > 192.168.14.1.9312:
192.168.14.9.42221 > 192.168.14.1.9312:
192.168.3.247.48542 > 192.168.41.37.11211:
192.168.3.235.9739 > 192.168.19.200.3306:
192.168.41.246.11211 > 192.168.3.232.36489:
192.168.3.232.36489 > 192.168.41.246.11211:
192.168.3.234.59715 > 192.168.41.199.11211:
192.168.14.32.34077 > 192.168.19.200.3306:
192.168.3.235.18919 > 192.168.42.12.11211:
192.168.25.122.7000 > 225.0.10.105.7000:
192.168.3.232.36489 > 192.168.41.246.11211:
192.168.3.236.43098 > 192.168.42.9.11211:
192.168.14.32.34077 > 192.168.19.200.3306:
192.168.3.236.43098 > 192.168.42.9.11211:
192.168.3.236.43098 > 192.168.42.9.11211:
192.168.11.84.4730 > 192.168.10.19.44335:
192.168.3.236.28328 > 192.168.42.11.11211:

Hannes
  • 135
  • 1
  • 3
  • 17
  • Are you sure that you're not just seeing broadcast/multicast traffic? It's quite normal, and NOT something you'd want to filter inside a subnet.. – pauska Dec 04 '12 at 15:45
  • Thanks for the remark. The problem is less bad then first tought but I still see traffic between 2 unicast addresses of which none is the host on which I see the traffic. So I presume there is still a problem on my switch. – Hannes Dec 04 '12 at 15:55
  • could you give a log of this traffic? Hide/obfuscate any private data. – Mircea Vutcovici Dec 04 '12 at 16:13

2 Answers2

2

This sounds like a nasty bug I encountered on a pair of 5548's, which made the switches unable to learn new mac addresses after 49.7 days.. The symptom is that unicasts are sent out on all ports

Devices stop to learn MAC addresses after 49.7 days

After 49.7 days of operation, the device stops re-learning MAC addresses. These MACs which were previously learned will not appear in MAC address table. As a result traffic streams sent to previously learned MAC addresses are treated as unknown-unicast traffic and flooded within the VLAN.

MAC address learning mechanism was fixed so that both learning new addresses and re-learning existing addresses are updating the MAC Address database.

Reference: http://de.community.dell.com/techcenter/networking/w/wiki/308.firmware-55xx-firmware-v4-0-1-xx-features-und-fixes-englisch.aspx

longneck
  • 22,793
  • 4
  • 50
  • 84
3molo
  • 4,340
  • 5
  • 30
  • 46
  • Sounds like a nasty one indeed. I will try to reboot the switch and see if this solves the problem, if so, I will upgrade the firmware. – Hannes Dec 05 '12 at 22:04
  • I rebooted the switch and the crosstalk disappeared, I presume this was the error. Thanks! – Hannes Dec 07 '12 at 09:31
  • I would try to verify exactly what problem it is and in which firmware version for your switches, as the referenced firmware fix is for 5548. – 3molo Dec 07 '12 at 20:09
  • I am planning to do a firmware upgrade on the switches and will monitor the behaviour afterwards. I will check if the problems disappear. – Hannes Dec 17 '12 at 09:56
1

The switches will filter only the frames for which the destination is in the MAC address table. This means that the traffic to unknown destinations, broadcast or multicast traffic will be send to all interfaces except the source interface.

Now the question is: What is the real problem? As you should expect some broadcast traffic all the time (CDP, LLDP, BPDU...)

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
  • As said in my comment, on one switch I see unicast traffic arriving between 2 'strangers' on my servers. (strangers of which 1 is connected the same switch as my server but none of them is my server) – Hannes Dec 04 '12 at 16:03
  • I can see the following causes: the MAC address table is expiring to quickly; the MAC address table is to small (you have more hosts on the network than entries in the switch); a bug in the switch (upgrade firmware); are you connected to a SPAN/tap port? – Mircea Vutcovici Dec 04 '12 at 16:13
  • 1
    Are the MAC addresses for the "strangers" in the MAC address/CAM table of the switch? – joeqwerty Dec 04 '12 at 16:16