1

I noticed (based on activity lights) that VLAN traffic between two switch ports are being sent to many switch ports. Here's my scenario:

Port 1 is a "mode access" switchport for VLAN 100 (untagged 100).

Port 2 is a "mode access" switchport for VLAN 101 (untagged 101).

Port 5 is a trunk for VLAN 100 and VLAN 101 (tagged 100, tagged 101).

I have the host on Port 1 talking to the host on Port 2. When they are talking to each other (Unicast), I see port 1, 2, and 5 light up, indicating that its also sending the unicast traffic to port 5. I also confirmed this with Wireshark by seeing the unicast traffic between port 1 and 2 while sniffing packets on port 5. Why is it sending traffic to port 5 when the switch is fully capable of figuring out that the hosts are on Port 1 and Port 2?

My understanding in the past with switches is that it builds a CAM table of mac addresses it sees on ports. It's CAM table should tell the switch that the source and destination hosts are on Ports 1 and 2. There's no reason it should also go to 5 since there is no host there.

This isnt a production switch (yet). So I only have three hosts on my network. Here is my config:

interface vlan 100
 ip address dhcp
!
interface vlan 101
!
interface ge1
 switchport mode access
 switchport access vlan 100
!
interface ge2
 switchport mode access
 switchport access vlan 101
!
interface ge5
 switchport trunk allowed vlan add 100,101
!
Bob Smith
  • 11
  • 1
  • how are the two hosts talking? they are seperated on two VLANs. Is some sort of router/firewall on port 5 that enables the communication between the two hosts? – Daniel Nachtrub Mar 27 '16 at 18:04
  • Port 5 has a dhcp server and is a router for vlan 100, vlan 101, and the wan. – Bob Smith Mar 27 '16 at 18:38
  • that it's just correct. port 1 and port 2 cannot communicate via unicast - the ports are in different VLANs. you can see this easily. plug off port 5 and the hosts won't be able to see each other anymore. – Daniel Nachtrub Mar 27 '16 at 19:24

2 Answers2

7

I noticed (based on activity lights) that VLAN traffic between two switch ports are being sent to many switch ports.

Seriously? That's not how to determine traffic flows. The activity lights could be active for any number of reasons.

Because Host 1 and Host 2 are in different VLAN's then they must be in different Layer 3 subnets as well. The only way they can communicate with each other is via a router, which in your case is connected to port 5. How do you expect the traffic between Host 1 and Host 2 to flow except through the router connected to port 5?

This is all perfectly normal.

To add some additional information:

A switch learns MAC addresses based on the source of the traffic. Until it builds the CAM table it floods the traffic on a per VLAN basis to all other ports in the same VLAN. When you have a trunk port the switch will also flood the traffic to the trunk port because the trunk port carries VLAN traffic and needs to forward (switch) the flooded traffic so that any ports in the same VLAN on a connected switch will also receive the traffic.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • To add to joeqwerty's post, there will always be some background traffic that the network uses to identify it's topology going out, if you are really worried about "leaking" VLANs you should be using something like Snort to check...but I think you're network is fine. – TheFiddlerWins Mar 28 '16 at 15:28
3

VLANs, by default, can only talk to themselves internally.

Let's change your setup a bit--- let's disable ge5 and turn on ge3, and make ge3 part of VLAN 101. From a computer directly connected to ge2, you can communicate with another computer on ge3... but you can't communicate with anything on ge1, because it is on another VLAN.

Let's turn back on ge5--- suddenly your machine on ge2 can communicate with everything beyond ge1 again.

So, it's apparent that ge5 plays an important part in your inter-VLAN communications, and that is why you see unicast traffic between VLANs passing through ge5 first. The explanation lies in how layer 2 switches (which I am assuming you have, given your output) fundamentally work. Switches only forward based on hardware address within their own network--- VLANs are actually networks of their own, with each VLAN residing on a different subnet. You can almost think of VLANs as logically dividing switches instead of physically dividing them, so ge1 becomes Logical Switch A and ge2 becomes Logical Switch B, but they are both on different networks and because of that, they can't communicate.

This is why you use a Trunk port that is connected to a router. All the VLAN traffic goes through that Trunk port and sends it to a router, and that router sends it back to the correct VLAN.

So, here is my summary: Congratulations, you have a great working setup.

vadre1121
  • 31
  • 3