Have a question or want to start a discussion? Post it! No Registration Necessary.
Now with pictures!
Subject
- Posted on
Switching behavior - ARP or Flood?
- 11-10-2007
- response3
November 10, 2007, 3:06 am

Hi all,
I'm trying to understand when a layer-2 bridge (switch) would flood an
unknown unicast frame. My understanding is that whenever a device
needs to send a unicast frame, it would use ARP before sending, in
which case the switch would already have the MAC address of the
destination due to it's ARP reply. This seems that there would never
be a scenario where the switch would flood a unicast frame out all
ports. My book lists this as a valid scenario. Am I missing
something, or is this only possible in situations where ARP isn't
used? Thanks.
I'm trying to understand when a layer-2 bridge (switch) would flood an
unknown unicast frame. My understanding is that whenever a device
needs to send a unicast frame, it would use ARP before sending, in
which case the switch would already have the MAC address of the
destination due to it's ARP reply. This seems that there would never
be a scenario where the switch would flood a unicast frame out all
ports. My book lists this as a valid scenario. Am I missing
something, or is this only possible in situations where ARP isn't
used? Thanks.

Re: Switching behavior - ARP or Flood?

It happens when the sending station has the MAC address of the destination
in its ARP cache, but the switch does not, for example, because it flushed
its cache due to STP topology changes, or it aged out, or simply because it
has just been powered on. Admittedly, not very often, but can nonetheless
happen.
Regards

Re: Switching behavior - ARP or Flood?
response3 wrote:

ARP is a layer 3 protocol which maps IP addresses to MAC addresses. A
layer-2 switch doesn't keep an ARP table. Instead, it passively learns
the dynamic MAC addresses for each switch port (or they are statically
assigned in some environments). If a MAC address isn't in its MAC
address table, it forwards the packet to all ports.
At the place I used to work, once we had a server with a bad NIC driver.
It had two teamed NICs, and somehow ended up using the MAC address of
one of the individual NICs from the team. That MAC address wasn't in
any MAC address tables, so it led to a unicast storm on the network
until we tracked down the problem.

ARP is a layer 3 protocol which maps IP addresses to MAC addresses. A
layer-2 switch doesn't keep an ARP table. Instead, it passively learns
the dynamic MAC addresses for each switch port (or they are statically
assigned in some environments). If a MAC address isn't in its MAC
address table, it forwards the packet to all ports.
At the place I used to work, once we had a server with a bad NIC driver.
It had two teamed NICs, and somehow ended up using the MAC address of
one of the individual NICs from the team. That MAC address wasn't in
any MAC address tables, so it led to a unicast storm on the network
until we tracked down the problem.

Re: Switching behavior - ARP or Flood?

so what happens when the ARP target response is not seen by the bridge?
the bridge may have a momentary overload, or the path from the MAC back to
the originator may not cross this particular bridge.
this can happen if you have asymmetric paths through a LAN - a switched
subnet, with 2 routers using HSRP where inbound traffic comes in thru 1 and
outbound goes via the other is a common case (esp in conjunction with the
timer mismatch below).
also a bridge MAC table is usually in hardware with a fixed size - too many
learned entries and it has to ignore the ones that come along when the table
is full, or purge an existing entry - a common attack to cause a switched
lan to flood packets is to saturate the MAC tables in switches.
This seems that there would never

it seems less common now than when a typical switched LAN handled lots of
protocols, mainly because IP is better behaved than some other protocol
stacks.
however - aging can do it:
default 802.1d aging timer is 5 minutes.
default ARP timer on a cisco is 4 hours?
So, plenty of time for the bridge MAC table to time out while an ARP cache
is still valid.

--
Regards
stephen_hope@xyzworld.com - replace xyz with ntl
Site Timeline
- » Making The Pirate Bay obsolete
- — Next thread in » Cisco Certification
-
- » Sybex, Publishers of the Popular CCNA Study Guide, Offer Online Testing
- — Previous thread in » Cisco Certification
-
- » iPhone SUPER 80% discounts
- — Newest thread in » Cisco Certification
-
- » checking for a heartbeat
- — The site's Newest Thread. Posted in » Wireless Networking
-