Skip to main content

General Network Challenges (Unicast flooding ) [ CCNP]

                                               Unicast flooding

It refers to the unintentional behavior of a switch treating a unicast packet as a broadcast packet; The cause of flooding is that the destination MAC address of the packet is not in the L2 forwarding table of the switch. Normally occurs when the router needs to deliver a packet; it has an ARP entry for a destination host, but the switch has no CAM entry.   The result is a packet that needs to be flooded to all of the ports in the VLAN In order to locate that MAC address port/VLAN.

Common reasons for destination MAC address not being known to the switch:

Cause 1: Asymmetric Routing.

With asymmetric routing, transmit and receive packets follow different paths between a host and the peer with which it communicates, at some point in the packet delivery path a Switch may not have that MAC address destination on its CAM table and would need to flood the frame in order to discover which port/MAC address is.

Cause 2: Spanning-Tree Protocol Topology Changes.

Since TCNs are triggered by a port that is transitioning to or from the forwarding state we may remember that what TCN does is to age out the CAM table in order to relearn the Active MAC address,
A final cause of unicast floods are topology changes. When a link state changes on a network port which participates in rapid spanning tree, the address cache on that switch will be flushed causing all subsequent packets to be flooded out of all ports until the addresses are learned by the switch.

Cause 3: Forwarding Table Overflow.

Another possible cause of flooding can be overflow of the switch forwarding table. In this case, new addresses cannot be learned and packets destined to such addresses are flooded until some space becomes available in the forwarding table. New addresses will then be learned. This is possible but rare,
A switch that has no room left in its address cache will flood the packet out to all ports. This is a common problem on networks with many hosts. Less common is the artificial flooding of address tables—this is termed MAC flooding.

Another common cause are hosts with ARP timers longer than the address cache timeout on switches—the switch forgets which port connects to the host.

Remedies -

There are several remedies discussed in the links above.  But for many situations, a low end switch needs to be replaced with a higher end switch—one that has a larger address table and one that can block unicast floods. Blocking unicast floods on a Cisco switch is easy to do, but it is not enabled by default. After ensuring that timeouts and/or security features have been configured to maintain table entries on client access ports longer than typical host ARP cache timeouts, this command is used to quiet down the unicast floods on those ports

By default unknown unicast traffic is flooded to all Layer 2 ports in a Vlan. We can use UUFB and UMFB, features to prevent or limit this traffic.

The UUFB [unknown unicast flooding blocking] and UMFB [unknown multicast flooding blocking ] features block unknown unicast and multicast traffic flooding at a specific port, only permitting egress traffic with MAC addresses that are known to exist on the port. The UUFB and UMFB features are supported on all ports that are configured with the switchport command, including private VLAN (PVLAN) ports.

Router(config-if)# switchport    --> Configures the port for Layer 2 switching.
Router(config-if)# switchport block {unicast | multicast} -->Enables unknown unicast or multicast flood blocking on the port.



Note: Enter the switchport block multicast command only on ports where all unknown multicast flooded traffic needs to be completely blocked. UMFB disrupts protocols that make use of local subnetwork multicast control groups in the 224.0.0.0/24 range, for example:

•ARP
•IPv6 neighbor discovery (IPv6 ND)
•Network Time Protocol (NTP)

Do not enter this command on nonreceiver (router) ports or host ports that rely on dynamic ARP. Use IGMP snooping or other rate-limiting options to restrict, rather than completely block, unknown multicast flooded traffic.

Other techniques involve isolating hosts at Layer 2, which blocks intra-LAN communication not destined to the router. A handy tool (available in lower end switches ) is the

Switch(config-if)# switchport protected

or a more robust, cross-switch solution than 'switchport protected' is the use of Private VLANs.


Related topics-

 Unicast flooding
 Out-of-order packets
Asymmetric routing

Comments

Post a Comment

Popular posts from this blog

How to Upgrade Software on Cisco 5508/5520 HA WLC

The process to upgrade a Cisco Wireless Lan Controller is quite straightforward but there are a few things you need to be aware of which can minimise the downtime for your wireless network. This guide will go through the process to upgrade a pair of 5508 WLC’s configured in HA setup and connected back to back with RP port. Here is the Topology: Upgrade Software on Cisco 5508/5520 WLC – Steps The first step is to upload the new image to the controller. This process does nothing to your live network and only uploads the image to the controller. Download the image from  cisco.com  and store in a known location on your laptop. For the purpose of this guide I am using 8.0.121.0 .Don't forget to check compatible matrix for your AP Models.  You will need a TFTP server running, I am using TFTPD32 running locally on my laptop. You can also use FTP or SFTP server to transfer the image.  Copy the new image into your tftp directory and go to the GUI on your controller
2 comments
Read more

How to upgrade software on a Cisco 3850 Switch | Recover Password | Configuration Backup | Restore Configuration

This short post will show you how to upgrade the software on a single Cisco 3850 switch or a 3850 stack, using TFTP and USB. The process is very easy but it is a bit different than the usual software image of previous switches i.e 3750 etc. The main difference is the Cisco 3850 switch run IOS-XE so you have to copy the .bin file to the flash on the switch and then install the software on the switch. Download the required image from cisco.com Begin the install Reboot the switch Step 1 copy the new image to the 3850 3850-SW1# copy tftp flash Address or name of remote host []? 10.1.1.100 Source filename []? cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin Destination filename [cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin]? Accessing tftp://10.1.1.250/cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin… Loading cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin from 10.251.226.253 (via Port-channel1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Post a Comment
Read more

RSTP and MST Interview Questions and Answers[CCNP]

What are the Port Roles in RSTP? 1. Root port - It is the port on the switch that has the best root path cost to the root bridge. This is identical to 802.1D. 2. Designated port - The switch port on a network segment that has the best root path cost to the root. 3. Alternate port - A port that has an alternative path to the root, different from the path the root port takes. This path is less desirable than that of the root port. 4. Backup port - A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects. If that common segment is lost, the switch might or might not have a path back to the root. What are different port states in RSTP? 1. Discarding - Incoming frames simply are dropped; no MAC addresses are learned.This state combines the 802.1D Disabled, Blocking, and Listening states. 2. Learning - Incoming frames are dropped, but MAC addresses are learned. 3. Forwarding - Incoming frames are forwa
Post a Comment
Read more