icmp unrechable and redirect

Information About ICMP Unreachable Destination Counters

To configure the ICMP Unreachable Counters feature, you should understand the following concepts:

•ICMP Overview

•Type 3 Destination Unreachable Error Messages

•Denial of Service Attack

ICMP Overview

Originally created for the TCP/IP suite in RFC 792, the Internet Control Message Protocol (ICMP) was designed to report a small set of error conditions. ICMP also can report a wide variety of error conditions, provide feedback and testing capabilities. It is a valuable support tool because each message uses a common format and is sent and received by using the same protocol rules.

ICMP enables IP to perform addressing, datagram packaging, and routing by allowing encapsulated messages to be sent and received between IP devices. These messages are encapsulated in IP datagrams just like any other IP message. When the message is generated, the original IP header is encapsulated in the ICMP message and these two pieces are encapsulated within a new IP header to be returned as an error report to the sending device.

ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. To avoid the infinite regress of messages about messages, no ICMP messages are sent about ICMP messages.

ICMP does not make IP reliable or ensure the delivery of datagrams or the return of a control message. Some datagrams may be dropped without any report of their loss. The higher-level protocols that use IP must implement their own reliability procedures if reliable communication is required.

For information about IPv6 and ICMP, refer to Cisco IOS IPv6 Configuration Guide, Release 12.4 and Cisco IOS IPv6 Command Reference, Release 12.4.

Type 3 Destination Unreachable Error Messages

Type 3 error messages are sent when a message cannot be delivered completely to the application at a destination host. Six codes contained in the ICMP header describe the unreachable condition as follows:

•0—Network unreachable

•1—Host unreachable

•2—Protocol unreachable

•3—Port unreachable

•4—Fragmentation needed and Don't Fragment (DF) bit set

•5—Source route failed

Cisco IOS software can suppress the generation of ICMP unreachable destination error messages, which is called rate-limiting. The default is no unreachable messages more often than once every half second. Separate intervals can be configured for code 4 and all other unreachable destination error messages. However, there is no method of displaying how many ICMP messages have not been sent.

The ICMP Unreachable Destination Counters feature provides a method to count and display the unsent Type 3 messages. This feature also provides console logging with error messages when there are periods of excessive rate limiting that would indicate a Denial of Service (DoS) attack against the router.

Denial of Service Attack

A DoS attack occurs when a stream of ICMP echo requests (pings) are broadcast to a destination subnet. The source addresses of these requests are falsified to be the source address of the target. For each request sent by the attacker, many hosts on the subnet will respond flooding the target and wasting bandwidth. The most common DoS attack is called a "smurf" attack, named after an executable program and is in the category of network-level attacks against hosts. DoS attacks can be easily detected when error-message logging of the ICMP Unreachable Destination Counters feature is enabled.

How to Configure ICMP Unreachable Destination Counters

This section contains the following procedures:

•Clearing the ICMP Unreachable Destination Packet Statistics (required)

•Configuring ICMP Unreachable Destination Counters and Logging Intervals (required)

•Displaying the ICMP Unreachable Destination Packets (optional)

Clearing the ICMP Unreachable Destination Packet Statistics

Perform this task to clear all of the unreachable destination packet statistics. This task is beneficial to begin a new log after the thresholds have been set.

SUMMARY STEPS

1. enable

2. clear ip icmp rate-limit [interface-type interface-number]

3. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	clear ip icmp rate-limit [interface-type interface-number] Example: Router# clear ip icmp rate-limit ethernet 2/3	Clears all current ICMP unreachable statistics for all configured interfaces. The optional interface-type and interface-number arguments clear the statistics for only one interface. Note Refer to the interface command in the Cisco IOS Interface and Hardware Component Command Reference, Release 12.4 for valid interface types.
Step 3	end Example: Router# end	Exits to user EXEC mode.

Configuring ICMP Unreachable Destination Counters and Logging Intervals

Perform this task to specify an interval number for unreachable destination messages and a packet counter (threshold) and interval to trigger a logging message to a console. Counting begins as soon as this command is configured.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]]

4. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]] Example: Router(config)# ip icmp rate-limit unreachable df log 1100 12000	Specifies the rate limitation of ICMP unreachable destination messages and the error message log threshold for generating a message. The default is no unreachable messages are sent more often than once every half second. The arguments and keywords are as follows: •df—(Optional) When Don't Fragment (DF) bit is set in the ICMP header, a datagram cannot be fragmented. If the df keyword is not specified, all other types of destination unreachable messages are sent. •ms—(Optional) Interval at which unreachable messages are generated. The valid range is from 1 ms to 4294967295 ms. •log—(Optional) List of error messages. The arguments are as follows: –packets—(Optional) Number of packets that determine a threshold for generating a log. The default is 1000 packets. –interval-ms—(Optional) Time limit for an interval for which a logging message is triggered. The default is 60000 ms, which is 1 minute. Note Counting begins as soon as this command is configured.
Step 4	exit Example: Router(config)# exit	Exits to privileged EXEC mode.

Displaying the ICMP Unreachable Destination Packets

Perform this optional task to display all of the unreachable destination packet statistics, which include dropped packets. Counting begins as soon as ip icmp rate-limit unreachable command is configured.

SUMMARY STEPS

1. enable

2. show ip icmp rate-limit [interface-type interface-number]

3. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show ip icmp rate-limit [interface-type interface-number] Example: Router# show ip icmp rate-limit ethernet 2/3	Displays all current ICMP unreachable statistics for all configured interfaces. The optional interface-type and interface-number arguments displays the statistics for only one interface. Note Refer to the interface command in the Cisco IOS Interface and Hardware Component Command Reference, Release 12.4 for valid interface types.
Step 3	end Example: Router# end	Exits to user EXEC mode.

Examples

The following output using the show ip icmp rate-limit command displays the unreachable destinations by interface:

Router# show ip icmp rate-limit 

                           DF bit unreachables       All other unreachables

Interval (millisecond)     500                       500

Interface                  # DF bit unreachables     # All other unreachables 

---------                  ---------------------     ------------------------ 

Ethernet0/0                0                         0                        

Ethernet0/2                0                         0                        

Serial3/0/3                0                         19 

The greatest number of unreachables is on serial interface 3/0/3.

Configuration Examples for ICMP Unreachable Packet Counters

This section provides the following configuration example:

•ICMP Rate-Limit Unreachable Log Configuration: Example

ICMP Rate-Limit Unreachable Log Configuration: Example

In the following example, console logging begins with a packet threshold of 1200 and every 120,000 ms:

ip icmp rate-limit unreachable log 1200 120000

Additional References

The following sections provide references related to ICMP Unreachable Destination Counters feature.

Related Documents

Related Topic	Document Title
IP application services configuration tasks	Cisco IOS IP Addressing and Services Configuration Guide, Release 12.3
IP application services commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples	Cisco IOS IP Application Services Command Reference, Release 12.4T
Interface and hardware component commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples	Cisco IOS Interface and Hardware Component Command Reference, Release 12.4T

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 792	Internet Control Message Protocol

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands only.

New Commands

•clear ip icmp rate-limit

•show ip icmp rate-limit

Modified Commands

•ip icmp rate-limit unreachable

clear ip icmp rate-limit

To clear all Internet Control Message Protocol (ICMP) unreachable rate-limiting statistics or all statistics for a specified interface, use the clear ip icmp rate-limit command in privileged EXEC mode.

clear ip icmp rate-limit [interface-type interface-number]

Syntax Description

interface-type	(Optional) Type of interface to be configured. Refer to the interface command in the Cisco IOS Interface and Hardware Component Command Reference, Release 12.4 for a list of valid interface types.
interface-number	(Optional) Port, connector, or interface card number. On Cisco 4700 series routers, specifies the network interface module (NIM) or network processor module (NPM) number. The numbers are assigned at the factory at the time of installation or when added to a system, and can be displayed with the show interfaces command.

Defaults

All unreachable statistics for all devices are cleared.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(2)T	This command was introduced.

Examples

The following example shows how to clear all unreachable statistics on all interfaces:

Router# clear icmp rate-limit

Related Commands

Command	Description
ip icmp rate-limit unreachable	Limits the rate at which ICMP unreachable messages are generated for a destination.
show ip icmp rate-limit	Displays all ICMP unreachable rate-limiting statistics or all statistics for a specified interface.

ip icmp rate-limit unreachable

To limit the rate at which Internet Control Message Protocol (ICMP) unreachable messages are generated for a destination, use the ip icmp rate-limit unreachable command in global configuration mode. To use the default, use the no form of this command.

ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]]

no ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]]

Syntax Description

df

(Optional) Don't Fragment (DF) bit is set. The optional ms argument is a time limit in milliseconds (ms) in which one unreachable message is generated. If the df keyword is specified, its ms argument remains independent from those of general destination unreachable messages. The valid range is from 1 ms to 4294967295 ms. Note Counting begins as soon as this command is configured.

log

(Optional) Logging of generated messages that show packets that could not reach a destination at a specified threshold. The optional packets argument specifies a packet threshold. When it is reached, a log message is generated on the console. The default is 1000 packets. The optional interval-ms argument is a time limit for the interval for which a logging message is triggered. The default is 60000 ms, which is 1 minute.

Defaults

The default value is one ICMP destination unreachable message per 500 ms.

Command Modes

Global configuration

Command History

Release	Modification
12.0	This command was introduced.
12.4(2)T	The packets and the interval-ms arguments and log keyword were introduced.

Usage Guidelines

Counting of packets begins when the command is configured and a packet threshold is specified.

The no ip icmp rate-limit unreachable command turns off the previously configured rate limit. To reset the rate limit to its default value, use the ip icmp rate-limit unreachable command default.

Cisco IOS software maintains two timers: one for general destination unreachable messages and one for DF destination unreachable messages. Both share the same time limits and defaults. If the df option is not configured, the ip icmp rate-limit unreachable command sets the time values in ms for DF destination unreachable messages.

Examples

The following example sets the rate of the ICMP destination unreachable message to one message every 10 ms:

ip icmp rate-limit unreachable 10

The following example turns off the previously configured rate limit:

no ip icmp rate-limit unreachable

The following example sets the rate limit back to the default:

no ip icmp rate-limit unreachable

The following example sets a logging packet threshold and time interval:

ip icmp rate-limit unreachable log 1200 120000

Related Commands

Command	Description
clear ip icmp rate-limit	Clears all ICMP unreachable destination messages or all statistics for a specified interface.
show ip icmp rate-limit	Displays all ICMP unreachable destination messages or all statistics for a specified interface.

show ip icmp rate-limit

To display all Internet Control Message Protocol (ICMP) unreachable destination messages or unreachable destination messages for a specified interface including the number of dropped packets, use the show ip icmp rate-limit command in privileged EXEC mode.

show ip icmp rate-limit [interface-type interface-number]

Syntax Description

interface-type	(Optional) Interface type. Type of interface to be configured. Note Refer to the interface command in the Cisco IOS Interface and Hardware Component Command Reference, Release 12.4 for a list of interface types.
interface-number	(Optional) Port, connector, or interface card number. On Cisco 4700 series routers, specifies the network interface module (NIM) or network processor module (NPM) number. The numbers are assigned at the factory at the time of installation or when added to a system, and can be displayed with the show interfaces command.

Defaults

All unreachable statistics for all devices are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(2)T	This command was introduced.

Examples

The following is sample output when the show ip icmp rate-limit command is entered and unreachable messages are generated:

Router# show ip icmp rate-limit

                           DF bit unreachables        All other unreachables

Interval (millisecond)     500                        500

Interface                  # DF bit unreachables     # All other unreachables 

---------                  ---------------------     ------------------------ 

Ethernet0/0                0                         0                        

Ethernet0/2                0                         0                        

Serial3/0/3                0                         19

The greatest number of unreachables on Serial3/0/3 is 19.

The following is sample output when the show ip icmp rate-limit command is entered and the rate-limit interval has been set at 500. The packet threshold has been set at 1 by using the ip icmp rate-limit unreachable command, so the logging will display on the console when the threshold is exceeded. The total suppressed packets since last log message is displayed.

Router# show ip icmp rate-limit

00:04:18: %IP-3-ICMPRATELIMIT: 2 unreachables rate-limited within 60000 milliseconds on 
Serial3/0/3. 17 log messages suppressed since last log message displayed on Serial3/0/3

Table 1 describes the significant fields shown in the display.

Table 1 show ip icmp rate-limit Field Descriptions 

Field	Description
ICMPRATELIMIT	ICMP packets that are rate limited.
suppressed	Packets that have been suppressed because the destination is unreachable.

-================================

How ICMP Redirect Messages Work

ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.
For example, the two routers R1 and R2 are connected to the same Ethernet segment as Host H. The default gateway for Host H is configured to use router R1. Host H sends a packet to router R1 to reach the destination on Remote Branch office Host 10.1.1.1. Router R1, after it consults its routing table, finds that the next-hop to reach Host 10.1.1.1 is router R2. Now router R1 must forward the packet out the same Ethernet interface on which it was received. Router R1 forwards the packet to router R2 and also sends an ICMP redirect message to Host H. This informs the host that the best route to reach Host 10.1.1.1 is by way of router R2. Host H then forwards all the subsequent packets destined for Host 10.1.1.1 to router R2.

This debug message shows router R1, as in the network diagram, sending an ICMP redirect message to Host H (172.16.1.1).

R1#
debug ip icmp


ICMP packet debugging is on

*Mar 18 06:28:54: ICMP:redirect sent to 172.16.1.1 for dest 10.1.1.1, use gw 172.16.1.200

R1# 

Router R1 (172.16.1.100) sends a redirect to Host H (172.16.1.1) to use router R2 (172.16.1.200) as the gateway to reach the destination 10.1.1.1.

When Are ICMP Redirects Sent?

Cisco routers send ICMP redirects when all of these conditions are met:

• The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
  
• The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
  
• The datagram is not source-routed.
  
• The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)
  

Note: ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface. In Cisco IOS Software Release 12.1(3)T and later, ICMP Redirect is allowed to be enabled on interfaces configured with HSRP. For more information, refer to HSRP Support for ICMP Redirects section of Hot Standby Router Protocol Features and Functionality.
For example, if a router has two IP addresses on one of its interfaces:

  interface ethernet 0

  ip address 171.68.179.1 255.255.255.0

  ip address 171.68.254.1 255.255.255.0 secondary

If the router receives a packet that is sourced from a host in the subnet 171.68.179.0 and destined to a host in the subnet 171.68.254.0, the router does not send an ICMP redirect because only the first condition is met, not the second.
The original packet for which the router sends a redirect still gets routed to the correct destination.

Related Commands

Command	Description
clear icmp rate-limit	Clears all ICMP unreachable destination messages or all messages for a specified interface.
ip icmp rate-limit unreachable	Limits the rate at which ICMP unreachable messages are generated for a destination.

1.1c (i) Unicast Flooding in Switched Networks

Introduction This document discusses possible causes and implications of unicast packet flooding in switched networks. Problem Definition LAN switches use forwarding tables (Layer 2 (L2) tables, Content Addressable Memory (CAM) tables) to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the (unicast) frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Limited flooding is part of the normal switching process. There are situations, however, when continuous flooding can cause adverse performance effects on the network. This document explains what issues can arise due to flooding, and the most common reasons why certain traffic might constantly be flooded. Note that most modern switches including the Catalyst 2900 XL, 3500 XL, 2940, 2950, 2970, 3550, 3750, 4500/4000, 5000, and 6500/6000 series switches maintain L2 forwarding tables per VLAN. Causes of Flooding The very cause of flooding is that destination MAC address of the packet is not in the L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in its VLAN (except the port it was received on). Below case studies display most common reasons for destination MAC address not being known to the switch. Cause 1: Asymmetric Routing Large amounts of flooded traffic might saturate low-bandwidth links causing network performance issues or complete connectivity outage to devices connected across such low-bandwidth links. Consider the following diagram: In the diagram above, server S1 in VLAN 1 is running backup (bulk data transfer) to server S2 in VLAN 2. Server S1 has its default gateway pointing to router A's VLAN 1 interface. Server S2 has its default gateway pointing to router B's VLAN 2 interface. Packets from S1 to S2 will follow this path: S1--VLAN 1--switch A--router A--VLAN 2--switch B--VLAN 2--S2 (blue line) Packets from S2 to S1 go along the following path: S2--VLAN 2--switch B--router B--VLAN 1--switch A--flooded to VLAN 1--S1 (red line) Note that with such an arrangement, switch A will not "see" traffic from the S2 MAC address in VLAN 2 (since the source MAC address will be rewritten by router B and the packet will only arrive in VLAN 1). This means that every time switch A needs to send the packet to the S2 MAC address, the packet will be flooded to VLAN 2. The same situation will occur with the S1 MAC address on switch B. This behavior is called asymmetric routing. Packets follow different paths depending on the direction. Asymmetric routing is one of the two most common causes of flooding. Impact of Unicast Flooding Returning to the above example, the result is that packets of the data transfer between S1 and S2 will mostly be flooded to VLAN 2 on switch A and to VLAN 1 on switch B. This means every connected port (workstation W in this example) in VLAN 1 on switch B will receive all packets of conversation between S1 and S2. Suppose the server backup takes 50 Mbps of bandwidth. This amount of traffic will saturate 10 Mbps links. This will cause a complete connectivity outage to the PCs or slow them down considerably. This flooding is due to asymmetric routing, and may stop when server S1 sends a broadcast packet (for example Address Resolution Protocol (ARP)). Switch A will flood this packet to VLAN 1 and switch B will receive and learn the MAC address of S1. Since the switch is not receiving traffic constantly, this forwarding entry will eventually age out and flooding will resume. The same process applies to S2. There are different approaches to limit the flooding caused by asymmetric routing. Refer to these documents for more information: Asymmetric Routing with Bridge Groups on Catalyst 2948G-L3 and 4908G-L3 Switches Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers Running HSRP) The approach is normally to bring the router's ARP timeout and the switches' forwarding table-aging time close to each other. This will cause the ARP packets to be broadcast. Relearning must occur before the L2 forwarding table entry ages out. A typical scenario where this kind of issue might be observed is when there are redundant Layer 3 (L3) switches (such as a Catalyst 6000 with Mutilayer Switch Feature Card (MSFC)) configured to load-balance with Hot Standby Router Protocol (HSRP). In this case, one switch will be active for even VLANs and the other one will be active for odd VLANs. Cause 2: Spanning-Tree Protocol Topology Changes Another common issue caused by flooding is Spanning-Tree Protocol (STP) Topology Change Notification (TCN). TCN is designed to correct forwarding tables after the forwarding topology has changed. This is necessary to avoid a connectivity outage, as after a topology change some destinations previously accessible via particular ports might become accessible via different ports. TCN operates by shortening the forwarding table aging time, such that if the address is not relearned, it will age out and flooding will occur. TCNs are triggered by a port that is transitioning to or from the forwarding state. After the TCN, even if the particular destination MAC address has aged out, flooding should not happen for long in most cases since the address will be relearned. The issue might arise when TCNs are occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant. Normally, a TCN is rare in a well-configured network. When the port on a switch goes up or down, there is eventually a TCN once the STP state of the port is changing to or from forwarding. When the port is flapping, repetitive TCNs and flooding occurs. Ports with the STP port fast feature enabled will not cause TCNs when going to or from the forwarding state. Configuration of portfast on all end-device ports (such as printers, PCs, servers, and so on) should limit TCNs to a low amount. Refer to this document for more information on TCNs: Understanding Spanning-Tree Protocol Topology Changes Note: In MSFC IOS, there is an optimization that will trigger VLAN interfaces to repopulate their ARP tables when there is a TCN in the respective VLAN. This limits flooding in case of TCNs, as there will be an ARP broadcast and the host MAC address will be relearned as the hosts reply to ARP. Cause 3: Forwarding Table Overflow Another possible cause of flooding can be overflow of the switch forwarding table. In this case, new addresses cannot be learned and packets destined to such addresses are flooded until some space becomes available in the forwarding table. New addresses will then be learned. This is possible but rare, since most modern switches have large enough forwarding tables to accommodate MAC addresses for most designs. Forwarding table exhaustion can also be caused by an attack on the network where one host starts generating frames each sourced with different MAC address. This will tie up all the forwarding table resources. Once the forwarding tables become saturated, other traffic will be flooded because new learning cannot occur. This kind of attack can be detected by examining the switch forwarding table. Most of the MAC addresses will point to the same port or group of ports. Such attacks can be prevented by limiting the number of MAC addresses learned on untrusted ports by using the port security feature. Configuration Guides for Catalyst switches running Cisco IOS® or CatOS software have a section called Configuring Port Security or Configuring Port-Based Traffic Control. Refer to the Technical Documentation for your switch on the Cisco Switches product pages for more information. Note: If unicast flooding occurs in a switch port which is configured for Port Security with the condition of "Restrict" to arrest the flooding, a security violation is trigerred. Router(config-if)#switchport port-security violation restrict Note: When such a security violation occurs, the affected ports configured for "restrict" mode should drop packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. This causes the SecurityViolation counter to increment. Note: Instead of this behavior, if the switch port moves to "Shutdown" state then you need to configure Router(config-if)#switchport block unicast so that the particular switch port is disabled for unicast flooding. How to Detect Excessive Flooding Most switches implement no special command to detect flooding. Catalyst 6500/6000 Supervisor Engine 2 and higher series switches running Cisco IOS System software (Native) version 12.1(14)E and higher or Cisco CatOS system software version 7.5 or higher implements 'unicast flood protection' feature. In short, this feature allows the switch to monitor the amount of unicast flooding per VLAN and take specified action if flooding exceeds specified amount. Actions can be to syslog, limit or shutdown VLAN - the syslog being the most useful for flood detection. When flooding exceeds the configured rate and the action configured is syslog, a message similar to the following will be printed: %UNICAST_FLOOD-4-DETECTED: Host 0000.0000.2100 on vlan 1 is flooding to an unknown unicast destination at a rate greater than/equal to 1 Kfps The MAC address indicated is the source MAC from which the packets are flooded on this switch. It is often needed to know the destination MAC addresses to which switch is flooding (because switch is forwarding by looking at the destination MAC address). Cisco IOS (Native) versions 12.1(20)E for Catalyst 6500/6000 supervisor engine 2 and on will implement capability to display the MAC addresses to which flooding is occurring: cat6000#sh mac-address-table unicast-flood Unicast Flood Protection status: enabled Configuration:  vlan      Kfps         action       timeout ------+----------+-----------------+----------    55          1             alert      none Mac filters:  No.   vlan   souce mac addr.           installed on           time left (mm:ss) -----+------+-----------------+------------------------------+------------------ Flood details:  Vlan   souce mac addr.              destination mac addr. ------+----------------+-------------------------------------------------    55   0000.2222.0000    0000.1111.0029, 0000.1111.0040, 0000.1111.0063                           0000.1111.0018, 0000.1111.0090, 0000.1111.0046                           0000.1111.006d Further investigation can then be carried out to see if MAC address 0000.2222.0000 is supposed to be sending traffic to the MAC addresses listed in the destination MAC address section. If traffic is legitimate, then one would need to establish why destination MAC addresses are not known to the switch. For information on the unicast flood protection configuration, refer to these documents: Configuration Monitoring You may detect if flooding is occurring by capturing a trace of packets seen on a workstation during the time of slowdown or outage. Normally, unicast packets not involving the workstation should not be seen repeatedly on the port. If this is happening, chances are that there is flooding occurring. Packet traces may look different when there are various causes of flooding. With asymmetric routing, there are likely to be packets to specific MAC address that will not stop flooding even after the destination replies. With TCNs, the flooding will include many different addresses, but should eventually stop and then restart. With L2 forwarding table overflow, you are likely to see same kind of flooding as with asymmetric routing. The difference is that there will likely be a high amount of strange packets, or normal packets in abnormal quantities with a different source MAC address.   -=====================================-============================ Unicast Flooding is part of the normal switching process, when there is no entry for a destination MAC in the CAM table, the switch will flood all ports within a VLAN except the receiving port.  Abnormal flooding can occur under certain circumstances and can have a negative impact on performance. Causes: Asymmetric Routing - Packets traversing one path and returning on another.  Flooding may temporarily stop when a broadcast is sent but will resume when the forwarding entry ages out. Modifying ARP timeout and forwarding table aging time to be closer can mitigate this arp timeout seconds address-table aging-time seconds Network redesign/Implementing an HSRP solution can solve this problem STP Topology Changes - When Topology Change Notifications(TCN) occur frequently and in short intervals. Rare in a well configured network Portfast configuration on host or end-device ports will reduce TCNs spanning-tree portfast CAM/Forwarding Table Overflow -Rare, due to the fact that most switches now have large enough forwarding tables.  Can occur when an attack occurs by a host generating frames sources by multiple MAC addresses. Port security and/or unicast blocking can prevent this Source: Unicast Flooding in Switched Campus Networks Asymmetric Routing See the above definition Impact of Micro Burst Unexpected patterns of data bursts in a very small time window can create a higher risk of data loss if the burst is more than the interface and device buffer can handle.