Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Switch behaves like a HUB

Status
Not open for further replies.
laptop8

laptop8

Technical User
Mar 7, 2002
10
0
0
DE
I have a real weard problem.

I operate a switched network with 25x Catalyst 3548, 1x 6509 and 25x BayStack with 250 Client-PC and 100 Servers.

For some quite some time now, I can see peoples traffic when I use a sniffer on a random port on a random switch. This is not only broadcast and multicasts but also unicasts and even several packets in series. I cannot sniff complete sessions though, but I'm a little concerned, because in a switched network such a behavior should only occur during powerup of the switches.

My first suspect was spanning-tree or full MAC-Tables. But its none of'em.

My question: Does anyone have a clue what this could be? Can someone with a similiar config take a look at his own network and confirm the same or a different behavior?

Thanks in Advance...
 
Sort by date Sort by votes
When a switch doesn't have a entry in its "mac" table it sends out a packet on all interfaces. whenever it has 2 ports with the same mac address the same happens. so if users are running around and plugging their laptops in different ports you might see this,

but more serious can be the following,
someone is deliberately "poisoning" the mac table. See for instance ettercap, it has this possibility

That way he can snif what he wants to see. and you see it as well ;-)
 
Upvote 0 Downvote
Also, say a user doesnt transmit for more than 5 minutes. The switch will drop the mac entry for that computer in its table, and the next time something is destined for that computer, the switch will broadcast again, which would explain why you only get partial frames in your sniff.
shnypr-small.gif
 
Upvote 0 Downvote
There are some network cluster configurations (MS) that prevent the switch from entering its CAM entry.

1) Hosts transmit to a MAC
2) Switch makes a partial CAM entry and floods packet
3) All cluster devices receive packet
4) Cluster devices determine which will service request via mgmt network
5) Designated cluster member fills request using a different MAC

Switch never sees reply using original MAC & ditches the partial CAM entry.

This is a very evil thing to do to a switch. Took forever to convince server admins they needed their own subnet.

-Jeff ----------------------------------------
Wassabi Pop Tarts! Write Kellogs today!
 
Upvote 0 Downvote
If someone is poisoning the CAM table why not set port security max-mac-count (say 5) with security action disable on the ports. You should find the culperit.
-Jeff ----------------------------------------
Wassabi Pop Tarts! Write Kellogs today!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
106
madwok
madwok
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
74
Geraldine Souza
Geraldine Souza
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
43
NavinNet
NavinNet
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
52
bfordz
bfordz
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
75
jarod_paris
jarod_paris

Part and Inventory Search

Sponsor

Back
Top