Cisco switch behave like an hub

Discussion in 'Cisco' started by Moti.Ba@gmail.com, Jan 12, 2005.

  1. Guest

    I have 3 Cisco switches all model WS-C3548-XL with 48 ports.
    When i run a sniffer on my computer i can see the traffic between two
    foreign computers that i don't have any connection with (like computer
    a using DNS query n server B). How come? How can i see this traffic on
    a SWITCH?

    I checked and it is not broadcasts. Also checked for port mirroring and
    didn't find any switch configured for port mirroring.

    Any help?
    , Jan 12, 2005
    #1
    1. Advertising

  2. Ivan Ostreš Guest

    In article <>,
    says...
    > I have 3 Cisco switches all model WS-C3548-XL with 48 ports.
    > When i run a sniffer on my computer i can see the traffic between two
    > foreign computers that i don't have any connection with (like computer
    > a using DNS query n server B). How come? How can i see this traffic on
    > a SWITCH?
    >
    > I checked and it is not broadcasts. Also checked for port mirroring and
    > didn't find any switch configured for port mirroring.
    >
    > Any help?
    >
    >


    One of the things the switch does is when it has unknow destination MAC
    address it just sends traffic to all ports on the switch. So, first
    thing to check would be if there's a destination mac address in switch's
    cam.

    Second, if cam table is full of MAC's, switch will forward packets to
    all ports if mac address is not in cam table (and it can't be added
    because cam table is full). If this is a production network I would look
    for this because is is easy to achieve this using some free tools.

    HTH,

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Jan 12, 2005
    #2
    1. Advertising

  3. Ivan Ostreš Guest

    In article <>,
    says...
    >
    > One of the things the switch does is when it has unknow destination MAC
    > address it just sends traffic to all ports on the switch. So, first
    > thing to check would be if there's a destination mac address in switch's
    > cam.
    >
    > Second, if cam table is full of MAC's, switch will forward packets to
    > all ports if mac address is not in cam table (and it can't be added
    > because cam table is full). If this is a production network I would look
    > for this because is is easy to achieve this using some free tools.
    >
    > HTH,
    >
    >


    One more thing, if you're using dns on cluster which uses multicast mac
    address as VMAC you would see all the packets since their destination is
    multicast address which is by default sent to all switchports.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Jan 12, 2005
    #3
  4. In article <>,
    <> wrote:

    :I have 3 Cisco switches all model WS-C3548-XL with 48 ports.
    :When i run a sniffer on my computer i can see the traffic between two
    :foreign computers that i don't have any connection with (like computer
    :a using DNS query n server B). How come? How can i see this traffic on
    :a SWITCH?

    There are some ways that that can happen, but they are not common.

    One way it can happen is if the switch never learns the MAC address
    of the destination system, such as if you have a multihomed system
    that replies from a different interface than is sent to.

    Another way it can happen is if your MAC table is full: when that
    happens, data is sent to every port in the VLAN.

    A third way it can happen is through switch bugs. I noticed one
    documented bug for the 3750 in an earlier software release, which
    could result in flooding for some obscure conditions involving
    secured MAC addresses.

    In some cases, it's due to a hardware limitation: sometimes, if a
    single MAC is taking part in multiple VLANs, then if data can leak;
    again I saw this documented for the 3750. If an egress port was in
    two different VLANs simultaneously, say #15 and #29, and the data
    was received for VLAN #15, then the data would leak out to egress ports
    that were in the other VLAN (#29) even though those ports were not
    part of the original VLAN (#15). The documentation I was looking at
    was particularily mentioning this with regards to multicast.
    --
    History is a pile of debris -- Laurie Anderson
    Walter Roberson, Jan 12, 2005
    #4
  5. Guest

    Thanks,

    I am tring to check this but have no access to one switch via web
    interface.
    Is there a way to configure ip for manage the switch without the using
    the cables Cisco give you when you buy the Switch?

    I noticed the switch has Ethernet like port in the back, not regular
    serial cable.
    , Jan 12, 2005
    #5
  6. In article <>,
    <> wrote:
    :I am tring to check this but have no access to one switch via web
    :interface.
    :Is there a way to configure ip for manage the switch without the using
    :the cables Cisco give you when you buy the Switch?

    The specifications for the cable are online in several places.


    :I noticed the switch has Ethernet like port in the back, not regular
    :serial cable.

    Cisco uses that often these days. As best I can tell there is
    some kind of unofficial standard about how it is wired.
    Mind you, knowing how it is wired won't help you if you don't
    have the parts needed to make a new cable. You can probably
    easily find an appropriate cable on eBay.

    I am not familiar with the details of the switch you have.
    Usually you need console serial port access in to force the
    configuration back to factory defaults or to get through when
    the password is lost.

    If the switch has an IP address and you know the subnet, you
    can try pinging the subnet broadcast IP and seeing if the switch
    is one of the systems that answers.

    If you know the IP address and the SNMP write community, then
    you can in theory trigger a tftp load of a new configuration file,
    provided it is listening to your SNMP. But if it's listening to
    your SNMP then chances are you could just telnet to the switch.
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
    Walter Roberson, Jan 12, 2005
    #6
  7. brambles

    Joined:
    Feb 24, 2010
    Messages:
    1
    We also found our Cisco 3560 switch behaving like a hub. We have two switches SWA and SWB trunked together, with a Port Channel on each switch. SWA was constantly broadcasting to all connected servers at between 5 and 15 Mbps.
    The reason turned out to be a timed-out (ie lost) mac address on the SWA Port Channel, for server SVB on SWB. A router RTA on SWA was pumping packets at SVB, but since SWA had lost the mac address for SVB it had no option but to broadcast the packets to all ports. The packets arrived at SVB, but significantly the return-path was via router RTB on SWB, so no return-path packets hit SWA and therefore its mac table was never updated to include SVB.
    Work-around : set mac-address-table aging to 0 (ie no ageing) on both switches, then clear the arp cache on both routers to force at least one ARP request to every attached server. It worked.
    I believe some higher-spec switches have a mac-table synchonization feature, but not the 3560 unfortunately.
    brambles, Feb 26, 2010
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Moloy
    Replies:
    1
    Views:
    994
  2. David Arnstein

    Cause Canon SD30 to behave like a USB disk drive?

    David Arnstein, Nov 10, 2005, in forum: Digital Photography
    Replies:
    5
    Views:
    408
    Dave Martindale
    Nov 11, 2005
  3. nodoog

    Dual Monitor Setup Will Not Behave

    nodoog, Apr 1, 2007, in forum: Computer Support
    Replies:
    3
    Views:
    609
    nodoog
    Apr 3, 2007
  4. JLA

    Re:Dual Monitor Setup Will Not Behave

    JLA, Apr 1, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    606
  5. will

    switch hub and switch

    will, Oct 16, 2003, in forum: NZ Computing
    Replies:
    6
    Views:
    745
    Shannon
    Oct 19, 2003
Loading...

Share This Page