Options
Switch Traffic Question
jbrad95706
Member Posts: 225
in CCNA & CCENT
I have a switch (6509) setup with vlans. (Just got it at work! )
I'm on a vlan, and seeing traffic for the entire vlan that I am on...
Should I be seeing all of this traffic, or just the broadcasts for this vlan? My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.
If I should not be seeing all of this traffic - what could I be missing?
Thank you!
I'm on a vlan, and seeing traffic for the entire vlan that I am on...
Should I be seeing all of this traffic, or just the broadcasts for this vlan? My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.
If I should not be seeing all of this traffic - what could I be missing?
Thank you!
Comments
-
Optionsnetworker050184 Mod Posts: 11,962 ModWhat do you mean "on a vlan"?An expert is a man who has made all the mistakes which can be made.
-
Optionsjbrad95706 Member Posts: 225networker050184 wrote: »What do you mean "on a vlan"?
by "on a" I mean "part of a/member of a"
I'm a member of vlan 10, and seeing traffic for every host on vlan 10. My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.
I guess the questions is, am I wrong or configured wrong. (Or both... haha)
Thanks again -
Optionsnotgoing2fail Member Posts: 1,138Well you should definitely see broadcasts...
When you say you are seeing any traffic, are you using some kind of sniffer? What other traffic are you seeing? -
Optionsnetworker050184 Mod Posts: 11,962 ModIf you are on an access port in that VLAN you shouldn't see all of the traffic. Are you on a SPAN port? What are you using Wireshark to see this?An expert is a man who has made all the mistakes which can be made.
-
Optionsjbrad95706 Member Posts: 225Yea, I'm using Wireshark and I'm on an "access port." (switchport mode access - I assume that designates me as an access port.)
I'm not sure if it's a span port. : (Reading up on that now...)
As for what type of traffic - I'm not sure it’s just a lot of traffic that's not for me. (Internal host-to-host and some web traffic.)
Hope that’s enough info / clear enough.
Thanks again! -
Optionsjbrad95706 Member Posts: 225After doing some reading - I'm pretty sure I'm not on a SPAN port. This is the port that I use on a daily basis.
-
Optionswastedtime Member Posts: 586 ■■■■□□□□□□Can you give us an example of the traffic? Are you sure it isn't broadcast traffic?
-
Optionsburbankmarc Member Posts: 460Is this the only switch in your network? I've seen this when there's a bridging loop.
-
Optionsjbrad95706 Member Posts: 225wastedtime wrote: »Can you give us an example of the traffic? Are you sure it isn't broadcast traffic?
I'm watching one of the end users web traffic (HTTP) scroll by right now. Source being his workstation and the destination being a work related website. -
Optionsjbrad95706 Member Posts: 225burbankmarc wrote: »Is this the only switch in your network? I've seen this when there's a bridging loop.
There are many switches... some of them are going away. The 6509 was brought in to replace some of the smaller switches. -
Optionsjbrad95706 Member Posts: 225I do have a small Linksys in my cube for when I need to fire up a test system or two... could this be causing this issue? :
-
Optionsfly351 Member Posts: 360jbrad95706 wrote: »I'm a member of vlan 10, and seeing traffic for every host on vlan 10. My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.
Yes, you are incorrect. You can see traffic from anyone that is on VLAN 10, including broadcasts that originate from an access port assigned to VLAN 10. You should not be able to see traffic coming from (for example) VLAN 20. Unless you have a Layer 3 device for inter-VLAN routing.CCNP :study: -
Optionsnetworker050184 Mod Posts: 11,962 ModYes, you are incorrect. You can see traffic from anyone that is on VLAN 10, including broadcasts that originate from an access port assigned to VLAN 10. You should not be able to see traffic coming from (for example) VLAN 20. Unless you have a Layer 3 device for inter-VLAN routing.
Not true. You should not be seeing users traffic on the same VLAN. Why the OP is seeing this I have no clue, but in a correctly configured and operating network you will only see broadcast traffic and traffic destined to your host.
One thing that does come to mind is unicast flooding. The switches cam table would have to be full for this to happen though.An expert is a man who has made all the mistakes which can be made. -
Optionsburbankmarc Member Posts: 460I'm of the mind to think that it's a bridge loop. If you check the CAM tables of your switches and see duplicate MAC addresses coming from different ports then it's a pretty good indication that there's a loop in your network.
-
Optionsfly351 Member Posts: 360networker050184 wrote: »Not true. You should not be seeing users traffic on the same VLAN. Why the OP is seeing this I have no clue, but in a correctly configured and operating network you will only see broadcast traffic and traffic destined to your host.
One thing that does come to mind is unicast flooding. The switches cam table would have to be full for this to happen though.
Sorry, I should have clarified.. that is where I was going with my statementCCNP :study: -
OptionsHeero Member Posts: 486it could be unicast flooding, but that would require some bad settings on your switch, or maybe even someone on the vlan doing mac flooding to fill up the cam table. Take a look at the cam table, check to see if the traffic that is being flooded has a matching entry in the cam table.
-
Optionsnotgoing2fail Member Posts: 1,138I'm curious because he's seeing another workstations HTTP traffic.
I'm not aware of any kind of HTTP traffic that does any sort of flooding.
Honestly, we would need to see how his network is setup along with a config of his switch before we can really determine anything.
Otherwise it's all just a crapshoot what it could be.... -
Optionsoutrunred Banned Posts: 30 ■■□□□□□□□□Definitely sure it's not a SPAN port? used for 'monitoring' users?
-
OptionsCoolhandluke Member Posts: 118I have the same issue on a production network.
I can sit in my office and sometimes all traffic looks fine, only getting broadcasts (and some multicast traffic). Other times i can start getting data from other peoples HTTP sessions (from the same VLAN). Not just a few users, quite alot.
Only thing i managed to get from this after searching the net was that in some cases when under high load switches can sometimes begin to act like hubs and just flood the data.
These are not Cisco switches though but i would be open to any other answers that people can throw in.
(Cam tables all look fine)
STP reports network changes every few minutes (relevant ?)[CCENT]->[CCNA]->[CCNP-ROUTE]->COLOR=#0000ff]CCNP SWITCH[/COLOR->[CCNP-TSHOOT] -
Optionsnotgoing2fail Member Posts: 1,138Coolhandluke wrote: »I have the same issue on a production network.
I can sit in my office and sometimes all traffic looks fine, only getting broadcasts (and some multicast traffic). Other times i can start getting data from other peoples HTTP sessions (from the same VLAN). Not just a few users, quite alot.
Only thing i managed to get from this after searching the net was that in some cases when under high load switches can sometimes begin to act like hubs and just flood the data.
These are not Cisco switches though but i would be open to any other answers that people can throw in.
(Cam tables all look fine)
STP reports network changes every few minutes (relevant ?)
The high load is a good point. I suppose we should see what the CPU usage is and what the CAM table looks like. In your case you say it looks fine so I'm not sure why you guys are able to see traffic other than broadcasts..
This is very interesting.... -
OptionsDevilWAH Member Posts: 2,997 ■■■■■■■■□□when stp changes occur you can get a flush of the cam tables. untill these refill the switch will flood frames. but to be honest you should only see one packet from each host (may be 2 or 3) as once one frame has passed across the network back and forth the switch should stop flooding that mac address.
are you getting fully conversations or jsut random packets,
oh and check the incoming routers cpu and cam tables. remember this has to run arps for all the clients, if it is getting hammered you may get strange stuff happening to.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
Optionsjbrad95706 Member Posts: 225when stp changes occur you can get a flush of the cam tables. untill these refill the switch will flood frames. but to be honest you should only see one packet from each host (may be 2 or 3) as once one frame has passed across the network back and forth the switch should stop flooding that mac address.
are you getting fully conversations or jsut random packets,
oh and check the incoming routers cpu and cam tables. remember this has to run arps for all the clients, if it is getting hammered you may get strange stuff happening to.
This part got me thinking... (Keep in mind I'm a Cisco Rookie...)
This is a new switch that users are being cut over too regularly. I’m assuming there is a very good chance that this is the cause?!?
I’m thinking I should have made this part clearer from the start….
That said, I'm still seeing more than 1 or 2 packets from the hosts... Thanks for all of the help - I'm still poking around for more info. (When I can...)