14 Replies Latest reply: Mar 20, 2018 9:14 PM by neuralping RSS

    Having trouble understanding Unicast Flooding

    Tomas

      Hello.

       

      I think I don't understand unicast flooding.

       

      Here's the exhibit with some text (taken from Unicast Flooding in Switched Campus Networks - Cisco):

       

      uniflood.png

       

      The explanation of this exhibit is that "with such an arrangement, switch A will not "see" traffic from the S2 MAC address in VLAN 2 (since the source MAC address will be rewritten by router B and the packet will only arrive in VLAN 1). This means that every time switch A needs to send the packet to the S2 MAC address, the packet will be flooded to VLAN 2"

       

      My question is this: if SwitchA once learned that the reply from S2 came back via Vlan 1 interface (even though with Router's B MAC as a source), would it not remember to use that interface for the next time?

       

      And as I see in this topology, there is no trunk between the switches - does it have any significance in this situation?

       

      Thank you

        • 1. Re: Having trouble understanding Unicast Flooding
          Juergen Ilse CCNA R&S

          I don't understand the cited explanation. Since S1 and S2 are in different VLANs, i would expect, that they are also in different Layer3 networks, and so S2 will send it's traffic for S2 never to S2 (or the MAC address of S2) directly, it will every time send the traffic destined to S2 to it's default gateway Router A. S1 will never see the MAC address of S2. Same for traffic from S2 to S1: since they are on different L3 networks, S1 will sent all traffic destined to S1 to it's default gateway Router B. S2 will never see the MAC address of S2. I see nothing in this setup, where every frame to a specific destination will be flooded every time.

          So you are not alone, if you don't understand the cited explanation.

          • 2. Re: Having trouble understanding Unicast Flooding
            Modestas

            Tomas wrote:

             

            My question is this: if SwitchA once learned that the reply from S2 came back via Vlan 1 interface (even though with Router's B MAC as a source), would it not remember to use that interface for the next time?

             

            No. Because blue path in SwitchA needs S2 MAC address on vlan 2 in order to forward frame from router A

            And as I see in this topology, there is no trunk between the switches - does it have any significance in this situation?

            Not at all.

             

            You can mitigate problem creating some periodic traffic from S2 towards router A to keep Switch A CAM table populated. ARP is good choice, just configure ARP timeout below switch table aging time.,

            • 3. Re: Having trouble understanding Unicast Flooding
              arteq

              this scenario is a bit unrealistic, but effective in bringing home the flooding concept... the giveaway is in the gateways assigned to the servers (which are router ip's), which makes the switches l2 only. .it is important to note  the vlan segmentation evinced by the separate cables to either vlan between the switches.

               

              a trunk would make a difference because a trunk by default (unless otherwise explicitly configured) would pass all vlans (but then the switches would require some l3 knowledge, svi or routing) so that's out...

               

              within the same vlan the switches are happy to send the unicasts directly to the end devices of devices where they are mac aware... otherwise, they must flood because:

               

              the default behavior for the switch is to flood the unknown unicast out every port except those upon which they are received...

              • 4. Re: Having trouble understanding Unicast Flooding
                Steven Davidson

                Take a look at this video.  It's a bit rambling at times but I do demonstrate unicast flooding in action in a live topology

                • 5. Re: Having trouble understanding Unicast Flooding
                  Juergen Ilse CCNA R&S

                  After thinking again about the scenarion, i understand, why Switch A will flood packets coming from S1 destined to S2, if S1 has an ARP entry for Router A in his ARP cache and Switch A has no entry for Router A in his MAC address table. In this case, S1 will send the packet to Router A, and S1 does not need to send an ARP request to determine the MAC address from it's default gateway, because of the already existing entry in the ARP taable. Switch A has no entry in it's MAC address table, so it will flood the frame to all ports except where it was received (unicast flooding). The answer from S2 will run through Router2, so Switch A will learn the MAC address of Router2 in VLAN 1 but it will not receive any traffic from RouterA in VLAN  1. So Switch A will continue to flood such packets, because it never receives Frames in VLAN 1 from the subinterface of Router A in VLAN 1. This depends on "S1 has an ARP entry for Router A in VLAN 1 but Switch A has no MAC address entry for Router A in VLAN 1". I started to think with empty MAC addrss tables of the switches aand empty ARP tables of the Servers, and in that case, MAC addrss tables of the switches will be filled with ARP traffic received by the switches with the necessary entries, so the flooding will *not* occur. I just didn't think about the possibility, that S1 may have an ARP entry for Router A while Switch A has no MAC addreess entry for Router A in VLAN 1 ...

                  • 6. Re: Having trouble understanding Unicast Flooding
                    Jeffrey

                    Hey experts, thanks for your replies. I'm working on switch and I imagine this is from route or tshoot, but got me interested to learn. So the main problem is the router maintains the arp entry for a default of 4 hours and the switch only keep the cam entry for 300 seconds by default. Once  switch A drops the cam entry after 300 seconds(originating from arp) flooding occurs. Sound right?

                    • 7. Re: Having trouble understanding Unicast Flooding
                      Juergen Ilse CCNA R&S

                      I think, you are right with your summary.

                      • 8. Re: Having trouble understanding Unicast Flooding
                        Modestas

                        Jeffrey wrote:

                         

                        Hey experts, thanks for your replies. I'm working on switch and I imagine this is from route or tshoot, but got me interested to learn. So the main problem is the router maintains the arp entry for a default of 4 hours and the switch only keep the cam entry for 300 seconds by default. Once  switch A drops the cam entry after 300 seconds(originating from arp) flooding occurs. Sound right?

                        The main problem is CAM aging in switch A.

                        ARP timeout is not the cause. ARP timeout fine-tuning is one of the possible mitigation strategies.

                        • 9. Re: Having trouble understanding Unicast Flooding
                          Harpreet Singh

                          Interesting TSHOOT scenario. I think brian-osgood and @Steven Davidson have explained. I'm writing the comment here because going through the book 'CCNP Routing and Switching ROUTE 300-101 Official Cert Guide' the section 'Assimetric Routing' reminded me about this post. To explain the the assimetric routing the author, Kevin Wallane, show how HSRP at @aggregation layer can create a similar scenario.

                           

                          Here below the quote and explaination:

                          A challenge with this common scenario can occur with the return traffic, as illustrated in Figure 1-23. The return traffic flows from the Internet and into CSW1, which then load-balances between DSW1 and DSW2. When the path through DSW1 is used, the MAC address of PC1 is known to DSW1’s ARP cache (because it just saw PC1’s MAC address being used as the source MAC address in a packet going out to the Internet). However, when the path through DSW2 is used, DSW2 might not have PC1’s MAC address in its ARP cache (because PC1 isn’t normally using DSW2 as its default gateway). As a result, DSW2 floods this unknown unicast traffic out all its other ports. This issue is known as asymmetric routing, because traffic might leave through one path (for example, through DSW1) and return through a different path (for example, through DSW2). Another name given to this issue is unicast flooding, because of the potential for a backup FHRP router or multilayer switch to flood unknown unicast traffic for returning traffic.

                           

                          • 10. Re: Having trouble understanding Unicast Flooding
                            Tomas

                            Well, I think I still don't understand this scenario.

                             

                            Quoting the same text once more:

                             

                            1.

                            Packets from S1 to S2 will follow this path:

                            • S1--VLAN 1--switch A--router A--VLAN 2--switch B--VLAN 2--S2 (blue line)

                             

                            And then:

                             

                            2.

                            Note that with such an arrangement, switch A will not "see" traffic from the S2 MAC address in VLAN 2 (since the source MAC address will be rewritten by router B and the packet will only arrive in VLAN 1). This means that every time switch A needs to send the packet to the S2 MAC address, the packet will be flooded to VLAN 2.

                             

                            Notice, that in quote 1 there is no mention of flooding when the packet path from S1 (VLAN1) to S2 (VLAN2) is described.

                             

                            But quote 2 says that Switch A will flood the packet to VLAN 2 every time.


                            In contrast, the description of the path from S2 to S1 does include flooding:

                             

                            S2--VLAN 2--switch B--router B--VLAN 1--switch A--flooded to VLAN 1--S1 (red line)

                            • 11. Re: Having trouble understanding Unicast Flooding
                              Steven Davidson

                              I think what's confusing you is the diagram.  If there was a workstation connected to switch A and the workstation was on VLAN 2 the same flooding would occur on switch A (affecting the workstation on switch A) when the router sends the blue traffic flow to S2 as long as the mac address for S2 had timed out of the mac table on switch A while the ARP entry for S2 still existed in the router connect to switch A.

                               

                              uniflood_b.png

                              • 12. Re: Having trouble understanding Unicast Flooding
                                Tomas

                                Thank you, Steven.

                                 

                                What confused me was the statement that "every time switch A needs to send the packet to the S2 MAC address, the packet will be flooded to VLAN 2". But it would not be flooded if SwitchA still had a S2's MAC address in its CAM, would it? So it's definitely not "every time".

                                 

                                Suppose all switches have valid CAM records. Then the S2, sending a reply packet to S1 will not need to send a packet to its default gateway RouterB, but instead it will send the packet straight to SwitchB and SwitchB will send the packet straight to S1, without sending the packet to RouterA. Is that correct?

                                • 13. Re: Having trouble understanding Unicast Flooding
                                  Steven Davidson

                                  That's reading into it way more than you need to.  They are talking about the scenario wherein the flooding conditions exist.  Read it like this "as long as the flooding conditions exist, the packet will be flooded to VLAN 2 every time".  They wouldn't be talking about flooding if the flooding conditions didn't exist.  Did you happen to watch that video demonstration I posted to this thread.  You can see, as I go through the demonstration, that the flooding condition is transient.  It comes and goes even within the short time frame of my demonstration.  That's the sneaky deadly thing about this problem and why it can go undetected in an environment for a very long time.  How impactful it will be largely depends on when it happens, for how long it happens, and which node(s) it happens to.

                                  • 14. Re: Having trouble understanding Unicast Flooding
                                    neuralping

                                    That diagram may be getting in the way of your understanding unknown unicast frame flooding

                                     

                                    When a frame comes into a switch and it gets to the forwarding decision it will be do 1 of 3 things with it. Forward, filter or flood it.  Even though the frame may be destined for a particular host if there is no entry in the mac address table you have an unknown unicast frame  When you have an unknown unicast frame it will be flooded out all ports except the port it came in on to find the host. No further flooding will occur as long as the mac address remains in the mac address table through periodic communication between the host before it ages out of the mac address table.  If that happens switch has to flood the frame again to find the host.

                                     

                                    I would use a simplified diagram with 2 switches and a few hosts attached to each to visualized the idea of unknown unicast frame flooding