300-101 ROUTE: Unicast Flooding, Out-of-Order Packets, Asymmetric Routing

Unicast Flooding

Unicast flooding is the unintentional behavior of a switch treating a unicast packet like a broadcast. This occurs when the destination MAC address is not found in the CAM table. The switch then sends the packet to all forwarding ports (except the port it was received on) in the respective VLAN, which causes flooding (broadcast).

The primary causes for unicast flooding are asymmetric routing, STP topology changes, and CAM table overflow.

Out-of-Order Packets

Out of order delivery simply means packets arriving to destination in a different order from which they were sent. Out-of-order packets can be caused by a per-packet load balancing using multiple different speed paths to reach the target, poorly configured queuing along a path or asymmetric routing.

Packet reordering can affect performance and efficiency of packet forwarding in the following ways:

• Cause unnecessary retransmission: When the TCP receiver gets packets out of order, it sends duplicate ACKs to trigger fast retransmit algorithm at the sender. These ACKs makes the TCP sender infer a packet has been lost and retransmit it.
• Limit transmission speed: When fast retransmission is triggered by duplicate ACKs, the TCP sender assumes it is an indication of network congestion. It reduces  its congestion window to limit the transmission speed, which needs to grow larger from a “slow start” again.
• Reduce the recipient's efficiency: TCP receiver has to hand in data to the upper layer in order. When reordering happens, TCP has to buffer all the out-of-order packets until getting all packets in order. Meanwhile, the upper layer gets data in burst rather than smoothly, which also reduces the system efficiency as a whole. 

Asymmetric Routing

Quite simply, asymmetric routing is when a packet takes one path to the destination and returns using another path. Asymmetric routing in itself is not a problem from a TCP/IP communication perspective but it does create trouble with certain setups.

Consider the traffic flows in the diagram below:

• S1--VLAN 1--Switch A--Router A--VLAN 2--Switch B--VLAN 2--S2 (blue line)
• S2--VLAN 2--Switch B--Router B--VLAN 1--Switch A--VLAN 1--S1 (red line)

Let's think about what happens when traffic flows from S1 to S2. The servers are in different VLANs. Router A is the default gateway for S1, and Router B is the default gateway for S2.

1. S1 sends an ARP request for its default gateway (Router A) and receives a reply. Meanwhile, Switch A tracks both MAC addresses (S1 and Router A) in its CAM table.
2. Router A then pushes out an ARP request and saves the MAC address of S2 in its ARP cache. Switch A also records the MAC address of S2.

But what happens after this point? Router A will not receive packets from S2 directly as they will traverse through Router B. Therefore, the Switch A will actually learn the MAC address of Router B, which rewrites the frame after receiving it from S2.

Note that Router A still has a valid ARP entry for S2 (4 hours by default) but the MAC address will time out after 300 seconds (default). So after 5 minutes, Switch A will have no record of S2 in its CAM table but Router A will still build the frame correctly due to the valid ARP entry. This causes Switch A to receive a packet to a destination MAC address to which it has no entry. Switch A must then flood the packet.

The same problem will occur in the reverse direction as well.

Asymmetric routing also causes challenges with firewalls. With stateful inspection, the firewall keeps track of active connections in its state table. Packets that do not have an entry in the state table or are not explicitly permitted by an access-list, will be discarded. Due to this behavior, asymmetric routing can cause packets to be dropped.

References

Unicast Flooding in Switched Campus Networks
CCIE 400-101: Network Principles - General Network Challenges