Re: Strange results from a tcpdump, can anyone help?

"maethlin" <maethlin@xxxxxxxxx> writes:

I work in an environment with many separate vlans spanning several
switches (say about a dozen). Today we had an incident where suddenly
traffic was going ballistic on most ports in the network. Doing a
tcpdump on a particular host on this network, you could actually see
unicast traffic that was neither destined to or coming from the host.

Typical network flooding situation.

Note that all switches do what looks like unicast flooding, when they
never recently saw traffic for the destination MAC of the packet. This
can easily happen in a complex switch cloud, when broken L3 configuration
results in nonsymmetric, triangular traffic.

Also note that all switches revert to unicast flooding behaviour when their
MAC->Port tables become full.

We shut off some ports where some new windows servers were brought up
today. As soon as those ports were taken offline, then tcpdumps on the
other hosts went to normal (i.e. the only traffic you could see were
broadcasts, or unicasts to and from that host).

Did any of those windows servers have more than one ethernet port connected?
Probably not, or you would have mentioned it... If they did, maybe your
switches thought they were switches, too.

You mentioned VLANs. How were the ports of those windows servers
configured in this regard? Untagged, tagged, open for all VLANs?

How was IP configured on the windows server(s)? Any possibility
that one of them took over one of the usual default gateways,
e.g. by the typical error of switching local and default gateway
IP under configuration? This could be the cause for triangular
traffic, as mentioned above.

Can anyone think of a likely explanation for this?

Not without more information. The symptoms are pretty clear, the
reason for their development is not.

best regards
Patrick
.

Relevant Pages

  • Re: dedicated external ports
    ... inside network ports and outside network ports on the same network. ... that can bring down your switches. ... We are on 5 floors, each floor has it's own catalyst stack which ties ...
    (comp.dcom.sys.cisco)
  • Problem with QoS on 5520 using EPM
    ... policies created by Enterprise Policy Manager for the 55xx Ethernet Routing ... Switches are not behaving as expected. ... Our QoS policy is very simple; all access ports have ports set in ... This configuration works fine for the 470/460 switches but not for the 55xx ...
    (comp.dcom.sys.nortel)
  • Re: Multiple switches
    ... We usually use 2950 switches, upto 48 ports, never used anything larger ... Although most systems will be new and also have gigabit network cards ...
    (comp.dcom.sys.cisco)
  • Re: SQL 2008 clustering with Windows 2008
    ... So far the failover configuration is working correctly and now I am working ... It seems like that we need at least two or more network switches to make this ... four disks from the Raid disks I have, I should set up five disks (with five ...
    (microsoft.public.sqlserver.clustering)
  • Re: about mirroring port
    ... number of them with the SPAN feature enabled and multiple spanned ports ... monitored by multiple instances of snort on a single Compaq box with very ... Subject: about mirroring port ... Higher end switches may work better. ...
    (Focus-IDS)