Well I had an early Cat6k with Sup1 and a software bug which caused the L2 CAM not to populate. Simple software upgrade resolved the problem, been too long for me to recall which CatOS version that would have been. I doubt that's what you're facing, but since you asked for examples.... :-)
First I would suggest you verify the packets you are seeing have unicast MAC destination addresses. Some protocols do use broadcast MAC addresses with Layer3 unicast addresses and this traffic you're observing may well be normal. It's best to understand what you are seeing before jumping to conclusions. Also double check that you aren't SPAN'ing that VLAN to your sniffer... That being said and there is still something to chase. The next thing to do is verify the cam is populated correctly for those endhosts. The cam--content addressable memory is the storage for the layer 2 forwarding tables in these boxes. Without knowing where to forward frames to the switch is forced to flood the frame out each port that is a part of that VLAN, which may be what your sniffer is seeing. For CatOS based use sh cam to view it, issue for the other NT server as well. If a definite dest port isn't listed then you need to look into why. Issue the commands a few times in short succession to see if a destination port is ever learned. It may be that the switch you're attached to isn't keeping a stable cam due to interfaces flapping, STP topology changes(from network design flaw), software bugs, some other device sending frames from those host's MAC addresses, use your imagination. If you need to hook the sniffer up to one of the other switches which carry that VLAN, that may help you narrow the scope of the problem. If you can't see what's wrong provide us the following: -Where are the two NT hosts in question attached to in the diagram you're giving. -What are the specific src/dst mac, ip, and if applicable port numbers of the traffic that you see leaking. -What is the state of the cam's for each of these hosts' mac addresses. It'd be nice for each switch between these hosts. And what device do each of these destinations port represent -Output of sh spant stat Good Luck, Darrell Newcomb [EMAIL PROTECTED] Consultant, Netswitch--Turning your Needs into Results http://www.netswitch.net BTW, Netswitch has been Serving Indonesia since 2000 ""Hitesh Pathak R"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear Group, > > I am having a setup like this :- > > cat6k ---------- cat6k | | > | | > |---- Cat5k----| |---- Cat5k----| > > I am connecting the sniffer on one of my core switches (cat6ks) and without > doing port mirroring (SPAN) able to see the unicast packets flow between 2 > Windows NT servers. Does this indicate unicast port flooding ??? or is this > the default behavior of my Sniffer s/w. I am using Network associates > Sniffer s/w. The port where the PC is connected is also in the same vlan in > which the Windows NT servers are connected. Both the Servers are connected > on the same switch. The servers are Win2k. > > Has anybody faced a similar problem like this ??? > > many thanks in advance > > Hitesh > > > > > > DISCLAIMER: > Information contained and transmitted by this E-MAIL is proprietary to Wipro > Limited and is intended for use only by the individual or entity to which it > is addressed, and may contain information that is privileged, confidential > or exempt from disclosure under applicable law. If this is a forwarded > message, the content of this E-MAIL may not have been sent with the > authority of the Company. If you are not the intended recipient, an agent of > the intended recipient or a person responsible for delivering the > information to the named recipient, you are notified that any use, > distribution, transmission, printing, copying or dissemination of this > information in any way or in any manner is strictly prohibited. If you have > received this communication in error, please delete this mail & notify us > immediately at [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52914&t=52907 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
