Switch Traffic Question

jbrad95706jbrad95706 Member Posts: 225
I have a switch (6509) setup with vlans. (Just got it at work! icon_cheers.gif)

I'm on a vlan, and seeing traffic for the entire vlan that I am on...

Should I be seeing all of this traffic, or just the broadcasts for this vlan? My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.


If I should not be seeing all of this traffic - what could I be missing?


Thank you!

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    What do you mean "on a vlan"?
    An expert is a man who has made all the mistakes which can be made.
  • jbrad95706jbrad95706 Member Posts: 225
    What do you mean "on a vlan"?

    by "on a" I mean "part of a/member of a" :)

    I'm a member of vlan 10, and seeing traffic for every host on vlan 10. My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.

    I guess the questions is, am I wrong or configured wrong. (Or both... haha) :)

    Thanks again
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Well you should definitely see broadcasts...

    When you say you are seeing any traffic, are you using some kind of sniffer? What other traffic are you seeing?
  • networker050184networker050184 Mod Posts: 11,962 Mod
    If you are on an access port in that VLAN you shouldn't see all of the traffic. Are you on a SPAN port? What are you using Wireshark to see this?
    An expert is a man who has made all the mistakes which can be made.
  • jbrad95706jbrad95706 Member Posts: 225
    Yea, I'm using Wireshark and I'm on an "access port." (switchport mode access - I assume that designates me as an access port.)

    I'm not sure if it's a span port. icon_confused.gif: (Reading up on that now...)


    As for what type of traffic - I'm not sure it’s just a lot of traffic that's not for me. (Internal host-to-host and some web traffic.)

    Hope that’s enough info / clear enough.


    Thanks again!
  • jbrad95706jbrad95706 Member Posts: 225
    After doing some reading - I'm pretty sure I'm not on a SPAN port. This is the port that I use on a daily basis. icon_study.gif
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    Can you give us an example of the traffic? Are you sure it isn't broadcast traffic?
  • burbankmarcburbankmarc Member Posts: 460
    Is this the only switch in your network? I've seen this when there's a bridging loop.
  • jbrad95706jbrad95706 Member Posts: 225
    wastedtime wrote: »
    Can you give us an example of the traffic? Are you sure it isn't broadcast traffic?

    I'm watching one of the end users web traffic (HTTP) scroll by right now. Source being his workstation and the destination being a work related website. :)
  • jbrad95706jbrad95706 Member Posts: 225
    Is this the only switch in your network? I've seen this when there's a bridging loop.

    There are many switches... some of them are going away. The 6509 was brought in to replace some of the smaller switches.
  • jbrad95706jbrad95706 Member Posts: 225
    I do have a small Linksys in my cube for when I need to fire up a test system or two... could this be causing this issue? icon_confused.gif:
  • fly351fly351 Member Posts: 360
    jbrad95706 wrote: »
    I'm a member of vlan 10, and seeing traffic for every host on vlan 10. My understanind was that I would see my traffic and the broadcasts for the vlan that I'm on.

    Yes, you are incorrect. You can see traffic from anyone that is on VLAN 10, including broadcasts that originate from an access port assigned to VLAN 10. You should not be able to see traffic coming from (for example) VLAN 20. Unless you have a Layer 3 device for inter-VLAN routing.
    CCNP :study:
  • networker050184networker050184 Mod Posts: 11,962 Mod
    fly351 wrote: »
    Yes, you are incorrect. You can see traffic from anyone that is on VLAN 10, including broadcasts that originate from an access port assigned to VLAN 10. You should not be able to see traffic coming from (for example) VLAN 20. Unless you have a Layer 3 device for inter-VLAN routing.

    Not true. You should not be seeing users traffic on the same VLAN. Why the OP is seeing this I have no clue, but in a correctly configured and operating network you will only see broadcast traffic and traffic destined to your host.

    One thing that does come to mind is unicast flooding. The switches cam table would have to be full for this to happen though.
    An expert is a man who has made all the mistakes which can be made.
  • burbankmarcburbankmarc Member Posts: 460
    I'm of the mind to think that it's a bridge loop. If you check the CAM tables of your switches and see duplicate MAC addresses coming from different ports then it's a pretty good indication that there's a loop in your network.
  • fly351fly351 Member Posts: 360
    Not true. You should not be seeing users traffic on the same VLAN. Why the OP is seeing this I have no clue, but in a correctly configured and operating network you will only see broadcast traffic and traffic destined to your host.

    One thing that does come to mind is unicast flooding. The switches cam table would have to be full for this to happen though.

    Sorry, I should have clarified.. that is where I was going with my statement :)
    CCNP :study:
  • HeeroHeero Member Posts: 486
    it could be unicast flooding, but that would require some bad settings on your switch, or maybe even someone on the vlan doing mac flooding to fill up the cam table. Take a look at the cam table, check to see if the traffic that is being flooded has a matching entry in the cam table.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    I'm curious because he's seeing another workstations HTTP traffic.

    I'm not aware of any kind of HTTP traffic that does any sort of flooding.

    Honestly, we would need to see how his network is setup along with a config of his switch before we can really determine anything.

    Otherwise it's all just a crapshoot what it could be....
  • outrunredoutrunred Banned Posts: 30 ■■□□□□□□□□
    Definitely sure it's not a SPAN port? used for 'monitoring' users?
  • CoolhandlukeCoolhandluke Member Posts: 118
    I have the same issue on a production network.
    I can sit in my office and sometimes all traffic looks fine, only getting broadcasts (and some multicast traffic). Other times i can start getting data from other peoples HTTP sessions (from the same VLAN). Not just a few users, quite alot.

    Only thing i managed to get from this after searching the net was that in some cases when under high load switches can sometimes begin to act like hubs and just flood the data.

    These are not Cisco switches though but i would be open to any other answers that people can throw in.

    (Cam tables all look fine)
    STP reports network changes every few minutes (relevant ?)
    [CCENT]->[CCNA]->[CCNP-ROUTE]->COLOR=#0000ff]CCNP SWITCH[/COLOR->[CCNP-TSHOOT]
  • notgoing2failnotgoing2fail Member Posts: 1,138
    I have the same issue on a production network.
    I can sit in my office and sometimes all traffic looks fine, only getting broadcasts (and some multicast traffic). Other times i can start getting data from other peoples HTTP sessions (from the same VLAN). Not just a few users, quite alot.

    Only thing i managed to get from this after searching the net was that in some cases when under high load switches can sometimes begin to act like hubs and just flood the data.

    These are not Cisco switches though but i would be open to any other answers that people can throw in.

    (Cam tables all look fine)
    STP reports network changes every few minutes (relevant ?)


    The high load is a good point. I suppose we should see what the CPU usage is and what the CAM table looks like. In your case you say it looks fine so I'm not sure why you guys are able to see traffic other than broadcasts..

    This is very interesting....
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    when stp changes occur you can get a flush of the cam tables. untill these refill the switch will flood frames. but to be honest you should only see one packet from each host (may be 2 or 3) as once one frame has passed across the network back and forth the switch should stop flooding that mac address.

    are you getting fully conversations or jsut random packets,

    oh and check the incoming routers cpu and cam tables. remember this has to run arps for all the clients, if it is getting hammered you may get strange stuff happening to.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • jbrad95706jbrad95706 Member Posts: 225
    DevilWAH wrote: »
    when stp changes occur you can get a flush of the cam tables. untill these refill the switch will flood frames. but to be honest you should only see one packet from each host (may be 2 or 3) as once one frame has passed across the network back and forth the switch should stop flooding that mac address.

    are you getting fully conversations or jsut random packets,

    oh and check the incoming routers cpu and cam tables. remember this has to run arps for all the clients, if it is getting hammered you may get strange stuff happening to.

    This part got me thinking... (Keep in mind I'm a Cisco Rookie...)

    This is a new switch that users are being cut over too regularly. I’m assuming there is a very good chance that this is the cause?!?

    I’m thinking I should have made this part clearer from the start…. icon_redface.gif

    That said, I'm still seeing more than 1 or 2 packets from the hosts... Thanks for all of the help - I'm still poking around for more info. (When I can...)
Sign In or Register to comment.