This is a common behaviour with M$ NLB. X-S
Analogously (e.g.: for load balancing) it could be possible that one of
the end-point of the communications you're seeing is using with ARP
replies that contain a MAC address that doesn't match the one used in
it's ethernet frames (i.e.: the one that switches learn).
On dom, 2006-10-15 at 20:03 -0500, Ben Nell wrote:
Is all traffic being "broadcasted"? Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device? If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing. I've seen this exact situation
before, actually.
BN
On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
Greetings,
I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.
While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:
"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. Once the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."
My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?
Thanks,
-jon
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
