|
Posted by Albert Manfredi on March 29, 2006, 5:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hello there, I was refered here by a helpful soul who claims that
> members of this group may have a deeper understanding of network
> issues
> that could help me figure out this problem. I'm reposting the
> pertinent details below:
> ================================================
>
> I'm a bit of a newb to the world of networking, so please bear with
> me.
>
> I work in an environment with many separate vlans spanning several
> switches (say about a dozen). Today we had an incident where suddenly
> traffic was going ballistic on most ports in the network. Doing a
> tcpdump on a particular host on this network, you could actually see
> unicast traffic that was neither destined to or coming from the host.
> Or, to put it another way, it almost looked like the host was on a
> hub,
> where you could see packets travelling between other hosts on the
> network to other destinations.
>
> We shut off some ports where some new windows servers were brought up
> today. As soon as those ports were taken offline, then tcpdumps on
> the
> other hosts went to normal (i.e. the only traffic you could see were
> broadcasts, or unicasts to and from that host).
>
> Can anyone think of a likely explanation for this?
>
> Please let me know if I'm not making sense!
>
> Thanks in advance,
>
> =====================================================
>
> An additional wrinkle I've noticed while studying the tcpdump:
>
> All the traffic I'm seeing that is not supposed to be there (i.e. http
> traffic from various other switches/hosts on the vlan) tends to be
> packets from the same vlan (vlan 82) destined to other hosts outside
> this vlan. In other words, the packets have src ips originating from
> within the vlan and dst ips are all external, and the src ips are from
> hosts that are not confined to a particular switch (at a brief glance,
> I'm seeing src packets coming from switch08, switch05, switch06, as
> well as other hosts on switch01 - where the tcpdump was taken).
>
> If it was simply a bad switch with a bad port that had lost it's mac
> tables and was now broadcasting everywhere in the vlan, I would expect
> to see packets in the tcpdump with all the src ips from a single
> switch, and dst ips both internal and external to the vlan.
>
> That doesn't seem to be the case here.
Traffic from the VLAN destined for hosts outside the VLAN is traffic
that has to go to a router. Can you see whether the MAC DA on these
frames is the MAC address of the default router? If it is, then the
question would be why traffic destined to a particular host, the router,
is showing up at other ports. As if that router MAC address is not being
learned, so all frames to the router are being flooded to all active
ports in the catenet.
Is there anything odd about the network? Are these all one-way UDP
datagrams, for example?
Bert
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map