Unicast Flooding due to Asymmetric Routing

Hello Andrew

Let me walk through it myself as well, I think it will be easier to explain:

1. H1 pings H2
2. Because H2 is in a different subnet, H1 sends the packet to the default gateway, that is, SVI VLAN 10 on SW1.
3. SW1 decapsulates the frame and looks at the IP header. Destination IP address is that of H1. If it has the ARP entry, then it knows the destination MAC address to place in the frame header, and it does so.
4. If it has no entry for the destination MAC in the MAC table, then it will be flooded out of all ports on VLAN 20 and all trunks that include VLAN 20, so H3 does indeed receive it too).
5. SW2 will receive the packet. If the MAC address of H2 is in the MAC address table, then it will be forwarded only out of Fa0/2. Otherwise it will be flooded to all VLAN 20 ports.
6. H2 receives the ping, and responds to the IP address of H1. It sends the response to the SVI VLAN 20 of SW2.
7. It decapsulates the frame, checks the destination IP, and uses the ARP cache to find the destination MAC, and populates the frame header with destination MAC.
8. If it doesn’t have an entry in the MAC address table for this destination MAC, it will be sent out all of the VLAN 10 access interfaces and trunks that include VLAN 10, reaching SW1.
9. if the destination MAC is in the MAC table, the frame is forwarded out of Fa0/1 to go to H1. If it is not in the MAC table, it is flooded out of all VLAN 10 access ports and trunk ports that include VLAN 10.

Sorry for restating this, but it helps in verification. Your understanding is indeed correct. SW1 will never learn H2’s MAC address because all traffic between H1 and H2 is routed at SW2, so H1’s MAC address never reaches SW1 for it to be recorded.

I hope this has been helpful!

Laz

Hi Laz,

Thank you very much for your quick and detailed response - This is very much appreciated!

You have cleared this is up for me

Many Thanks,

Andrew

Hi Guys, I understand that the destination MAC for broadcast traffic is ffff.ffff.ffff but what is the destination MAC address used for unknown unicast frames? Thanks - Gareth.

Ok - there isn’t a specific unknown unicast MAC address (I think), the MAC address for the desired destination host is used and flooded via every port apart from the ingress.

Hello Gareth

Yes, that’s it. When we say “unknown” MAC address, we mean a MAC address that is not found within the MAC address table of the switch. And in the case described in the lesson, the switch will never learn this MAC address, so all such traffic will be flooded.

Remember that a switch populates its MAC address table by taking the source MAC address of a frame and associating it with the port on which it came in on. This information is placed in the MAC address table. In the scenario described in the lesson, the MAC address of H2 will never be learned by SW1 because all incoming traffic from this device is routed on SW2, so the only MAC address SW1 will see is that of the SVI on SW2.

So the MAC address of H2 will remain unknown forever, and will cause flooding on SW1.

I hope this has been helpful!

Laz

Hi Rene,

I am confused a bit. When you say that SW1 have ARP entry of H2, so, I believe it knows the MAC address of H2.

SW1#show ip arp 192.168.20.2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.20.2          101   0017.5aed.7af1  ARPA   Vlan20

SW1#show mac address-table address 0017.5aed.7af1
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

Is it because that it does not know how to reach the MAC of H2 ,it floods the packet towards all VLAN 20 ports except the port from where it received the packet?

Please help clear the confusion.

Hello Justin

It is important here to clearly understand the purpose (and the difference) between the MAC address table and the ARP table within a Layer 3 switch.

The MAC address table will provide a correspondence between MAC addresses and switch ports for the purpose of forwarding transient traffic within the same network segment.

The ARP table will provide a correspondence between IP address and MAC address for the purpose of forwarding transient traffic from one subnet to another. Specifically, to determine the MAC address of the next hop.

So if you have traffic coming from a host in VLAN 20 destined for a host in VLAN 20 (same subnet) then the only thing that will be used is the MAC address table and not the ARP table. In this case, the specific MAC will be looked up to see out of which VLAN 20 port it should forward the frame. If the destination is not in the MAC address table it is forwarded out of all ports even if the MAC exists in the ARP table.

The ARP table will only be referenced when a Layer 3 interface (the SVIs in this case) wants to forward a packet to the next hop IP and the next hop MAC is not known (not in the ARP table). Then an ARP request will be sent.

I hope this has been helpful!

Laz

Hello Justin

It seems that you have responded to me personally, so I will share your post and respond to it here.

Hi Laz,

Thanks for your reply.

So in this case traffic is between different vlans.(vlan 10 to vlan 20).

Correct me if I am wrong.

when the packet sent by H1 is received on Sw1.

It will first look that the destination IP is of different Vlan. So it will perform routing.

Further checking it will find vlan 20 is directly connected, so at this stage it will check Arp table first to find the Mac address of destination.

Then it will search the Mac address of H2 in Mac address table, but not finding it it will send the unicast message having Mac of H2 on all Vlan 20 interface. Is this right?

Thanks,
Justin George

Yes this is absolutely correct. And the reason it won’t find H2’s MAC address in its ARP table is because SW1 will never receive a frame with a source MAC address of H2.

Remember that the ARP table is populated by using the source MAC addresses read on frames coming into particular ports. Because SW1 will never see an incoming frame with the source MAC of H2 (because SW2 takes care of those frames), it will never know out of which port to send a frame destined for H2.

I hope this has been helpful!

Laz

Hi Laz,

Thanks for your quick response and clearing the topic for me.

Really appreciated.

Justin

Hi Laz ,

Yes this is absolutely correct. And the reason it won’t find H2’s MAC address in its ARP table is because SW1 will never receive a frame with a source MAC address of H2

But switch should have a entry right that H2 is on other side of the trunk and it can be reached on port trunk on SW2 ?

Regards
shaan

Hi Moderators ,

I am having difficulty whole concept of asymmetric routing or to be precise unknown unicast flooding , kindly would request to explain what happens when all the devices are turned on for the first time and H1 wants to communicate with H2 - I have been behind this for 2 days

thank you in advance to all of you

Regards
shaan

Hello Shaan

The only way SW1 will learn of H2’s MAC address is if a frame comes from H2 and enters the Fa0/24 interface of SW1 with a VLAN tag of VLAN 20. But this never happens. Because when H2 sends a frame, it is routed at the SVI VLAN20 of SW2, and sent on VLAN 10 to the trunk port of SW1 with a source MAC of the SVI on SW2.

I hope this has been helpful!

Laz

Hello Shaan

Take a look at the diagram from the lesson:

image762×467 73.1 KB

1. The default gateway of H1 is the SVI for VLAN10 in SW1
2. The default gateway of H2 is the SVI for VLAN20 on SW2
3. H1 and H2 are on different subnets
4. Communication between H1 and H2 requires the use of a default router

When H1 sends a packet to H2, it hits the SVI of VLAN 10 on SW1 and is routed to VLAN 20, and is sent over the trunk to SW2 on VLAN20. When SW2 receives this frame, it has a source MAC of the SVI VLAN20 of SW1. Therefore SW2 knows nothing of H1’s MAC address and never will since all traffic sourced from H1 to H2 will be routed at SW1.

Similarly, when H2 sends a packet to H1, it hits the SVI of VLAN 20 on SW2 and is routed to VLAN 10 and is sent over the trunk to SW1 on VLAN 10. When SW1 recieves the frame, it has a source MAC of the SVI VLAN 10 of SW2. Therefore SW1 knows nothing of H2’s MAC address and never will since all traffic sourced from H2 to H1 will be routed at SW2.

So SW1 will never learn H2’s MAC address, so any frame with H2’s MAC as the destination MAC that arrives at SW1 will always be flooded, because there is no MAC address table entry for that MAC.

I hope this has been helpful!

Laz

Thanks Laz for the explanation i understood the working when mac address table is flushed out n unicast flooding starts but its mentioned unknown unicast flooding starts when SW1 mac address table is flushed out after a aging time is reached until then there will b no issues of unicast flooding so just wanted to know what will be the mac address table for SW1 look like when everything is working fine , how does SW1 learn H2s mac address for the first time when H1 is powered on

Regards
shaan

Hello Mohammed

Ah yes, understood. Until now I was describing the situation after unicast flooding began, but there is a period in time, as you correctly state, where everything is working correctly..,.

As soon as all devices are turned on, the ARP tables and MAC address tables are empty. H1 sends a ping to H2, and this is what happens:

1. The packet is received by SW1 and is routed to VLAN 20. At this point VLAN 20 knows the destination IP address, but not the destination MAC.
2. ARP is used to learn of the destination MAC address, and this is flooded on VLAN 20. The ARP request is a broadcast, so it reaches all of VLAN 20 on both switches.
3. H2 will respond with an ARP reply, and will send it to the VLAN 20 SVI on SW1. SW1 will update its ARP table.
4. This ARP response has a the source MAC address of H2, so it will also be used to populate SW1’s MAC address table with H2’s MAC address. So now SW1 has both an ARP and a MAC address table entry.
5. Another way in which H2’s MAC address is recorded on SW1’s MAC address table is when H2 performs an ARP request of its own for its default gateway. This too would reach SW1 and would populate the MAC address table.

This is how the correct MAC table and ARP table entries are obtained.

Now the ARP table caches its entries for four hours while the MAC address table for 5 minutes. If H2 remains idle for more than 5 minutes, SW1 will lose its MAC address table entry for H2. Any subsequent traffic that occurs will have an ARP table entry, but no MAC address table entry for H2 in SW1, and unicast flooding occurs. If H2 remains idle for more than four hours, then the ARP table is also purged, and correct ARP and MAC address table entries can once again be obtained.

I hope this has been helpful!

Laz

Hi Laz ,

“Another way in which H2’s MAC address is recorded on SW1’s MAC address table is when H2 performs an ARP request of its own for its default gateway.” - This too would reach SW1 and would populate the MAC address table." ----- So on SW1’s MAC Address table the entry will be like Port 24 to reach H2 on Vlan 100 ?

Regards
shaan

Hello Shaan

The MAC address table entry for H2’s MAC address on SW1 will be on Fe0/24, but it will be associated with VLAN 20. In the previous post I mentioned that there are two ways that SW1 can obtain the MAC Address Table entry of H2’s MAC (numbers 4 and 5 in the list). In both cases, SW1 will learn of H2’s MAC on its Fe0/24 port, and will associate them with VLAN 20.

I hope this has been helpful!

Laz

Hey, i don’t get changing the Network design to use only one Multilayer switch for all VLAN gateways, solve this unicast flooding problem. I know it solve the Asymmetric routing issue.

If I assume,

VLAN 10 SVI - 192.168.10.254
VLAN 20 SVI - 192.168.20.254

Both are configured on the SW1. And SW2 used only as a L2 device.

Now, after 5 minutes expiration, all the MAC addresses will be flushed. Then H1 sends a ping to H2.

H1 knows Gateway’s MAC, so build the ethernet frame,

Src IP - 192.168.10.1
Dst IP - 192.168.20.2
Src MAC - H1
Dst MAC - VLAN 10 SVI

This received by the SW1. See Dst MAC is its own, so look at RIB.
192.168.20.0/24 is directly connected via VLAN20. So, build the ethernet frame,

Src IP - 192.168.10.1
Dst IP - 192.168.20.2
Src MAC - VLAN20 SVI
Dst MAC - H2 (Previous ARP cache)

But SW1 still doesn’t know in which interface this H2 is in, right? So, doesn’t it flood out of all VLAN 20 interfaces ? Still there will be Unicast flooding.

But once this is received by SW2, it also doesn’t know anything about H2 MAC. So, it will flood this frame out of all VLAN20 interfaces it has. H2 will receive this in the end, and send the return traffic.

In this moment H2 builds the Ethernet frame,
Src IP - 192.168.20.2
Dst IP - 192.168.10.1
Src MAC - H2
Dst MAC - VLAN 20 SVI

Once this is received by SW2, it will get to know the H2 MAC. And forward it out of trunk, since SW2 knows VLAN20 SVI MAC is in the trunk. And then SW1 also will get to learn the H2 MAC address. Now, unicast flooding will be stopped.

But that 1st packet will be still flooded, right?

Hello Pamod

In the lesson, the described process will flood ALL packets ALL the time for particular MAC addresses. This is because the MAC address table of one switch is not updated with all of the MAC addresses of the hosts on the other switch.

By changing the network design so that a single router or multilayer switch is used as the default gateway for all VLANs, it will solve the problem, because that switch will both send and receive traffic from all hosts. Thus, it will update its MAC address table with all the MAC addresses of all the hosts. In such a case, yes, you are right, that initially the 1st packet will be flooded, but once the MAC addresses are learned, flooding will stop.

This behavior of the initial packet being flooded out of all switch ports is the normal behavior for switches in any scenario. Does that make sense?

I hope this has been helpful!

Laz