04-30-2014 02:24 AM
Just wondering if anybody has seen this, or can explain it?
I've attached a couple of screenshots (airwave), and note the data looks similar (recent obviously) on the controller (data centre one).
The customer I'm working on right now has 2 x 7200 and airwave (new deployment). One of the 7200s and airwave is in a data centre. The 7200 in the other site appears normal in terms of firewall dash data. The controller in the data centre (and airwave) is showing me firewall data regarding what looks like server-server comms in that data centre. This is strange, as that server traffic cannot be traversing the controller. The controller is attached to a core Cisco in that DC (to which these servers also attach, same vlan/subnet), but the controller isn't the router. It's simply attached L2 on a port channel, with an IP address in that VLAN.
04-30-2014 04:36 AM
04-30-2014 04:44 AM - edited 04-30-2014 04:44 AM
It is yes.
The customer's datacentre in terms of the vlan/subnet where this contoller "lives" is shared on a /16 with lots of servers. Whilst this clearly sucks, it's outside the scope of my works for the moment.
Interesting that you're seeing the same. Doesn't it strike you as a bit odd? i.e.
In our scenario, the controller is attached L2 style to a Cisco core, to which all the other DC servers attach. As a result, server-server unicast traffic should never be seen by the controller at all. Yet, the firewall data suggests otherwise. I appear to be seeing evidence of application flows host-to-host.
The only reason I could see this happening, is if the servers traffic flow was flooded by the switches, which of course it might be if the servers are using broadcast macs or some sort of multicast which hasn't been snooped? That's probably it now I think of it.
I'm almost inclined to go to the DC and sniff things.
04-30-2014 04:45 AM
Now I think more about it, doesn't Microsoft NFT generate traffic like this in certain conditions? I'll go look...
04-30-2014 06:01 AM
The racking.monkey. are any of the VLANs on the port channel untrusted?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-30-2014 06:54 AM
No, they're all trusted. I checked.
Interestingly, you do see the sessions represented in the firewall data, ALSO in a "show datapath session table", suggesting they look like flooded unicasts. Just doing a packet capture now...
04-30-2014 07:07 AM
The controller based packet-capture features don't appear to have options for directly capturing all packets received on the wired ports. Am I wrong?