Ethernet Switching
Ethernet Switching

ex4550 odd unicast flood

‎08-28-2019 04:05 PM

Im looking at a unicast flood that occured and analysing it retrospectivley with graphing.

 

2 x ex4550s running 12.x junos with a trunk between them.

 

sw1 and sw2 both have hosts in VLAN 2 .

 

An unkown unicast flood occured for approx 10 mins and maxed out the links for all vlan 2 members on sw2, which would indicate it was received over the trunk from sw1 as this link was unaffected.

All vlan 2 members on sw1 were also unaffeceted, no change ingress or egress.

 

The odd thing is there is no increase ingress on any link on sw1 or sw2 and no loop anywhere. Its as if the unkown unicast is recevied by sw2 from sw1 then amplified out to every vlan2 member .

Nothing in the logs on either switch and no STP changes.

 

Any possible explanation for what appears to be a self generated unicast flood by the switch?

 

4 REPLIES 4
Ethernet Switching

Re: ex4550 odd unicast flood

‎08-28-2019 09:34 PM

Hello,

 

 


@kodbobo wrote:

Im looking at a unicast flood that occured and analysing it retrospectivley with graphing.

 

2 x ex4550s running 12.x junos with a trunk between them.

 

 

All vlan 2 members on sw1 were also unaffeceted, no change ingress or egress.

<skip>

Its as if the unkown unicast is recevied by sw2 from sw1 then amplified out to every vlan2 member .

 

 


 

It looks like sender and sw1 both had a dst.MAC entry for this flood traffic but sw2 did not.

Some questions if I may:

1/ are MAC aging timers different on sw1 and sw2?

2/ did You have a forwarding table overflow event on sw2 where this MAC was crowded out?

3/ overzealous sw2 port security (allowed-mac 1) which rejected this MAC because some other MAC got learned first?

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: ex4550 odd unicast flood

‎08-29-2019 02:23 AM

Hi Alex

 

in answer to the queries

 

1/ are MAC aging timers different on sw1 and sw2?

No. both arp and mac are at default times

2/ did You have a forwarding table overflow event on sw2 where this MAC was crowded out?

No overflow event on that vlan as far as i am aware. if it did i would have thought traffic from vlan2 hosts on sw2 would have flooded the trunk 

3/ overzealous sw2 port security (allowed-mac 1) which rejected this MAC because some other MAC got learned first?

No port security. Vlan 2 ports are configured identical on both switches

 

thanks

Ethernet Switching

Re: ex4550 odd unicast flood

‎08-29-2019 08:41 AM

Hi kodbobo,

 

Perhaps these will help:

 

1) Please check for any MAC moves:

show ethernet-switching mac-learning-log

 

2) If you have spanning-tree enabled, please check for any changes:

show spanning-tree interface
show spanning-tree bridge

 

3) Do we have any other protocols enabled on the network? RIPv1 had some DDOS with similar symptom.

 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Ethernet Switching

Re: ex4550 odd unicast flood

[ Edited ]
‎08-29-2019 10:03 PM
No changes in spanning tree

And I can't see Mac learning log for the timeframe it occured as it's buffered out well past it.

And no rip configured