Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Traffic on port not detined for host - help

Paul Clayton
Frequent Advisor

Traffic on port not detined for host - help

Sorry, lousy summary, but I got a funny which does not make sense. If monitor a port on my 4108 switch, and mask out traffic that is destined for my host (lets call it hostA), I see a lot of traffic detined for other hosts, eminating remote.
For example I see hostB <--HostC.

Also see this a lot with MS terminal services.
The way I understand it a switch should only direct traffic that is detined for the specific host, excluding broadcasts.

The reasons I am asking this, is we keep getting the odd apparent network freeze, that looks like the network, but I am not convinced. Investigation showed the above network traffic example.
1 REPLY
André Beck
Honored Contributor

Re: Traffic on port not detined for host - help

Hi,

> Also see this a lot with MS terminal
> services.

Is this by chance an MS terminal server cluster? MS had the brilliant idea of abusing multicast here, in a way that cannot be catched by IGMP snooping. In short, they use an IP multicast MAC address with an unicast IP destination address. Of course this floods all the broadcast domain.

> The way I understand it a switch should only
> direct traffic that is detined for the
> specific host, excluding broadcasts.

Excluding broadcasts, multicasts and unknown destination unicasts. Sometimes it's the latter, there are some scenarios where this is normal to happen and some where it is likely a failure of some other component. If the switch you are looking at never sees frames *from* host X, it will not learn X's MAC address and thus will flood all frames *to* X should they ever reach it. This is normal. Even short bursts of flooded unknown destination unicasts are completely normal in a nontrivial L2 topology. They just should not reach the Mbps rates ;)

HTH,
Andre.