[c-nsp] Unknown unicast only occuring when a host is under attack...
John Neiberger
jneiberger at gmail.com
Thu Mar 24 14:54:18 EDT 2011
On Thu, Mar 24, 2011 at 12:11 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> Hi,
>
> I've never seen this issue before and I don't find a lot of information about it on the Internet.
>
> Basically what is happening is a host in a VLAN is getting flooded with http requests and when this happens the http requests are being unicast to all ports in this VLAN.
>
> This only happens when the host is being flooded when I block the attack, normal traffic isn't being unicast flooded.
>
> I would think that if this was normal unknown unicast it would always happen after the cam expires the mac entry...?
>
> Has anyone heard of anything like this before?
>
> System is a 6500 (sup 720s) /w SXI5.
>
> thanks,
> -Drew
That sounds pretty strange. There are attacks that could cause this,
though. They can cause your MAC table to overflow. Let's say you can
have up to 32,768 addresses in your table. If the table is full,
traffic destined for that 32769th MAC address will be flooded. At
least I think that's how it works. Check to see how many entries are
in your MAC address table.
Good luck!
John
More information about the cisco-nsp
mailing list