I've been searching Internet and this forum for a few days, but still can't find the answer - why do I see a lot of transmission from 2 servers in the LAN? I work connected on the switch, no mirror port or anything like that, the packets are not brodcast packets nor multicast ... Very strange, can't figure why... It is as I would work with a hub, not switch (PowerConnect 6200 series). Please explain - in fact this transmission is so "intensive" that is killing our network. Best regards, Andrew asked 14 Apr '13, 01:35  Andrzeja |
2 Answers:
There is the source of your unicast floods. Microsoft NLB works by using a virtual IP address (VIP). An ARP for VIP will result in a cluster mac address. The problem is that the cluster mac address is not used to send any traffic, sending traffic by the nodes in the cluster is done from other mac addresses. As the switches do not know on which switch port the cluster mac address is found, it will send the packets to all ports in the VLAN. This results in that all cluster members will receive the traffic and the NLB driver on each cluster node will determine which node should handle each request. The problem is that other nodes in the same VLAN will also receive all the traffic towards the NLB cluster as traffic is flooded on all ports in the VLAN. Best practice is to use a separate VLAN for each NLB cluster, so that traffic is only flooded to the members of the NLB cluster. If you don't want to place each NLB cluster into a separate VLAN, you can also choose to use a separate loadbalancer. answered 14 Apr '13, 08:02  SYN-bit ♦♦ |
If you see a single unicast every once in a while you're observing pretty normal behaviour. But let's get to the basics first: the switch can only send packets to a specific port when it knows at which port the destination MAC address is connected. So the switch "learns" over time where the MACs are and switches packets. If it doesn't know where the destination MAC is, it "floods" the frame to all ports - and when the answer comes back (with the destination MAC now being the source MAC) it records the MAC for that port. From that moment on no further frames for that MAC are flooded. Usually a switch "forgets" learned MAC addresses after a while because it may have become inactive (the device been turned off) or connected to a different port in the meantime. So the switch needs to be able to learn where it is now, and it does that by forgetting where it was and starting the learning process again. When it forgets the MAC, the next frame is flooded again, and learned again (if it is still connected anywhere). This is why - even with no mirror port - you'll see single unicasts every once in a while, usually in a rhythm of minutes. BUT if you're saying you're having tons of those flooded packets there is usually just one explanation: there is soo much traffic with tons of changing MAC addresses that the switch can't keep track of them. It's MAC address table is sort of overloaded, forgetting valid MACs to make room for new arrivals, which leads to massive flooding all the time. I've even seen switches "give up" and just flood everything, but that usually only happens for "cheap" vendors. The PowerConnect 6200 should be able to manage 8000 MAC addresses and I can't tell if you've got more than that by now. If you've got a large "flat" network with thousands of nodes in a single broadcast area and they're "overloading" the switch you can either get a switch with a larger MAC address table, or (and that would be the better approach but takes time) segment your network into VLANs to prevent that many MAC addresses arriving at a single switch. Edit: I just remembered that you said you see 2 servers doing that. I had analysis cases at customer sites where they used teamed network adapters for backup and file servers to send huge backup data over multiple lines. IF you do something like this (trunking lines) you need to make sure that the switch also knows which ports belong to the same logical link, or it will get into trouble with the MAC address table. In the cases I had the customer had only told the servers to link the network cards together, but not the switch. Instant drama. answered 14 Apr '13, 04:13  Jasper ♦♦ edited 14 Apr '13, 04:16 Jasper, thanks a lot for your answer, I really appreciate it. To give you more details - the network is flat, no VLANs and now consist from 3 stacks of PowerConnect switches: PowerConnect 7024 switches (2 in stack, for servers) <- 1GB UTP link -> 6200 series stack (3 switches, for desktops) <- 1GB 1000Base-SX link -> 6200 series stack (3 switches for desktops). UTP link is mostly temporary to try to narrow down the problem, please disregard narrow bandwith connections betwean stacks. The 7024 switches are for the servers, some phisical, most of them virtual (Microsoft Hyper-V) with teaming (LACP) and network load balancing (Windows). The network has approx. no more than 400 devices. I was connected with PC with wireshark exactly in the secon stack, the guy from terminal server session run MS SQL report (processed by another MS SQL server) and precisely at that time the traffic was so high that it was "killing" LAN network - pings to the other servers jumped to 2000-3000 miliseconds, etc. There are teamings on servers' cards, but there is also corresponding port channel configuration on the switches. Before there were old 3Com switches and it all behaved much "nicer" then with PowerConnect switches, very frustrating. Hope to explain everything clearly, English is not my native language :) Best regards, Andrew (14 Apr '13, 07:12) Andrzeja |
Thanks, SYN-bit
what loadbalancer are you writing about? IP? Like F5, for example? Could you recommend some software solution (if possible) or virtual machine (as far as I know pfSense can work as a load balancer)?
Strange is, that local admins claim they didn't change anything in the environment (in the configuration of virtual servers) axcept the switches itself (previously old 3Com 4400 models were used). If that is true, how come this problem wasn't visible at that time? Can't imagine such different behaviour betwean 3Com switches and Dell, 3Com models would have to deal with intensive unicast flooding much differently...
Thanks a lot for explanation,
Andrew
Advice on a particular loadbalancer is not something done based on the few lines in this question... It needs a little more solid investigation.
As for the difference between the PowerConnect and 3Com switches in regard to the NLB traffic, that would also mean a little more investigation.