[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to block traffic with U/L bit set, on certain ports on Catalyst 2950

Posted on 2006-05-15
8
Medium Priority
?
295 Views
Last Modified: 2008-02-01
We have some industrial terminals which can't handle a lot of network traffic.
So we isolated them by ACL's which only allow traffics too and from the proxy server that controls those terminals. No broadcasts, etc ...
Works fine, except still a lot of unwanted traffic goes through.
With Ethereal we discovered that those packets do not have the terminals as destination, nor do they have the proxy server as source.
And still they get through. All those packets come from our MS-Networked Load Balanced servers. Using NLB sets the U/L bit of the mac-address, because NLB assigns it's own MAC-address to the NLB-NIC's.
Those packets are broadcasted throughout the whole of our network, even bypassing the ACL's. Because of the high speed backbone, those poor industrial terminals with 10 Mbps NIC's and a DOS IP-stack get on their knees.
How can we block this traffic? So, all packets at layer 2 with the U/L bit set on the ports of the terminals. (Using Catalyst 2950)

Urgent and difficult, so 500 points.

J.
0
Comment
Question by:PowerIT
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:Jandakel2
ID: 16683124
I would think that this sounds like the perfect scenario for a VLAN.  This will segregate the traffic.  Just stick the "old school" computers in their own VLAN, separate from everyone else.  If you need more info, let me know.

JK
0
 
LVL 18

Author Comment

by:PowerIT
ID: 16683174
Thinks for the input and I should have mentioned this: we already tried solving it with VLAN's. Called an external expert for this, but we can not do this at the moment.
It should have been the best sollution, but we currently only have one Catalyst. If I understand correctly we need two of them to give the proxy server the ability to communicate with the rest of the network. All our other switches are non-Cisco and they couldn't set it up reliably.

J.
0
 
LVL 4

Expert Comment

by:Jandakel2
ID: 16683216
What have you got for an IP Scheme?  Have you considered breaking down your subnet assignments so that the broadcasts only hit that particular subnet?  

JK
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 18

Author Comment

by:PowerIT
ID: 16683414
The problem is not regular broadcasts. Subnet assignments don't help. This is traffic that is somehow broadcasted on layer 2, just because the U/L bit is set.

J.
0
 
LVL 4

Accepted Solution

by:
Jandakel2 earned 2000 total points
ID: 16684151
Is what your talking about the mulitcast hearbeat?  Here is an interesting approach:

http://episteme.arstechnica.com/groupee/forums/a/tpc/f/469092836/m/782000178731

Be sure to read all the posts, I know this can be done on the Catalyst side of things, but I don't know what type of network hardware you have existing elsewhere...

JK
0
 
LVL 18

Author Comment

by:PowerIT
ID: 16685048
Thanks JK, that's an eye opener. Been using NLB for years and never considered that problem. You really showed the heart of the problem. I was trying to cure the symptoms instead of the illness.
I'll post again how we (hopefully) finally solved it.

In the mean time, if anyone has a sollution for the symptoms please post it here. I know, I know, not a good idea, but as temporary workaround...

Within a few days I should be able to close this.

J.
0
 
LVL 18

Author Comment

by:PowerIT
ID: 16992085
Sorry, I forgot to close this.
We solved it by an acl which blocks all traffic on the uplink port except to the servers.
Later on we will look at how we can change NLB so that it doesn't generate this traffic.

J.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question