Switching behavior - ARP or Flood?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I'm trying to understand when a layer-2 bridge (switch) would flood an
unknown unicast frame.  My understanding is that whenever a device
needs to send a unicast frame, it would use ARP before sending, in
which case the switch would already have the MAC address of the
destination due to it's ARP reply.  This seems that there would never
be a scenario where the switch would flood a unicast frame out all
ports.  My book lists this as a valid scenario.  Am I missing
something, or is this only possible in situations where ARP isn't
used?  Thanks.


Re: Switching behavior - ARP or Flood?
response3 wrote:

Quoted text here. Click to load it

It happens when the sending station has the MAC address of the destination
in its ARP cache, but the switch does not, for example, because it flushed
its cache due to STP topology changes, or it aged out, or simply because it
has just been powered on. Admittedly, not very often, but can nonetheless
happen.

Regards


Re: Switching behavior - ARP or Flood?
response3 wrote:
Quoted text here. Click to load it

ARP is a layer 3 protocol which maps IP addresses to MAC addresses.  A
layer-2 switch doesn't keep an ARP table.  Instead, it passively learns
the dynamic MAC addresses for each switch port (or they are statically
assigned in some environments).  If a MAC address isn't in its MAC
address table, it forwards the packet to all ports.

At the place I used to work, once we had a server with a bad NIC driver.
   It had two teamed NICs, and somehow ended up using the MAC address of
one of the individual NICs from the team.  That MAC address wasn't in
any MAC address tables, so it led to a unicast storm on the network
until we tracked down the problem.

Re: Switching behavior - ARP or Flood?
Quoted text here. Click to load it

so what happens when the ARP target response is not seen by the bridge?

the bridge may have a momentary overload, or the path from the MAC back to
the originator may not cross this particular bridge.
this can happen if you have asymmetric paths through a LAN - a switched
subnet, with 2 routers using HSRP where inbound traffic comes in thru 1 and
outbound goes via the other is a common case (esp in conjunction with the
timer mismatch below).

also a bridge MAC table is usually in hardware with a fixed size - too many
learned entries and it has to ignore the ones that come along when the table
is full, or purge an existing entry -  a common attack to cause a switched
lan to flood packets is to saturate the MAC tables in switches.

This seems that there would never
Quoted text here. Click to load it

it seems less common now than when a typical switched LAN handled lots of
protocols, mainly because IP is better behaved than some other protocol
stacks.

however - aging can do it:
default 802.1d aging timer is 5 minutes.
default ARP timer on a cisco is 4 hours?
So, plenty of time for the bridge MAC table to time out while an ARP cache
is still valid.

Quoted text here. Click to load it
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl



Site Timeline