Unicast Flooding occurs when a frame enters the switch destined to a MAC address unknown to the CAM table on the VLAN. The switch will flood the unicast frame out of every port on the respective VLAN expect the one it entered on.
It’s normal for some traffic on the network to be Unicast Floods as it’s part of the learning process to fill switches CAM tables. However some situations may result in excessive unicast flooding traffic and result in a negative impact on performance.
Causes of Excessive Flooding
The cause of excessive flooding is the switch not having an entry in it’s CAM table for the destination MAC address. Below I explain the three main causes for Unicast Flooding.
Asymmetric Routing occurs when the path to the destination differentiates from the return path. Illustrated below:
Throw in some low bandwidth links and you have a recipe for trouble. Flooding will stop once PC-1 has sent a broadcast packet but the entry in the CAM table will time out and flooding will resume. Other causes of Asymmetric Routing are FHRPs (VRRP, HSRP, GLBP) and hot potato routing. The solution is to set the ARP timeout to be less than the switches CAM forwarding table timeout. Therefor the ARP packets will be broadcast and the switch will relearn them before the CAM table entry for PC-1 disappears.
Spanning-Tree Protocol (STP) Topology Changes
A Topology Change Notification (TCN) happens when a port on a switch transitions to or from the forwarding state. TCNs are responsible for correcting the forwarding tables after a topology change. They cause the forwarding table entries in the CAM to age much faster, therefor making them time out.
Unicast Flooding may occur in a situation where TCNs are happening often. One possible cause of this is a flappy port. Remember kids, no one wants a flappy port.
STP Portfast enabled ports won’t cause TCNs, therefor a properly configured switch on the access layer won’t cause TCNs when client devices are connected/unplugged.
Forwarding Table Overflow
Forwarding Table Overflow is caused by too many devices on your network for the switches CAM to handle. However this is rare as modern switches have very large CAM to support large forwarding tables.
Another cause of this is a Forwarding Table Overflow Attack. This is where a host is generating many frames with different source MAC addresses. These addresses populate the Forwarding Table, eventually filling the CAM. The result is flooding of packets with a destination MAC that is no longer able to fit in the Forwarding Table. Cisco Switches have features to prevent against such attacks. Said features are explained here.