Switching Question: Sniffing a mac adx to mac adx conversation

Unanswered Question

This is for you switching gurus out there. I know its not good but I am trying to explain why and I cant come up with the correct words...


Scenario:

Two Unix Solaris boxes with 2 nics each. Nic1 for Prod and Nic 2 for BU on both boxes. On the same switch (3750) and the Prod subnet is x.x.1.0/24 and BU subnet is x.x.2.0/24 for both boxes. SolarisA has both nics set to the same mac adx (:::ABCD) as well as SolarisB(:::1234). (This is a default setting to this type of physical server ( I think its a Fujitsu chassis. And yes, I am forcing the unix team to change it to unique adxs but I just want assistance for a pro-active write up.)


Ive been asked to sniff these servers due to the fact that ftp transfers sometimes stop during its process and they want to be proactive about it and find out why. These ftp transfers are log transfers that are normally very large.


My answer:

Since it is same switch and same subnet; they are only communicating via Layer 2 and not using any L3 type of communication. Sniffing is not coming up with anything inclusive (Im probably using it wrong due to the fact that the filters are based upon mysql ports and ip adxs.) But, I am trying to explain to the client that having the same mac address on both ports (prod and BU) can cause this problem. I realize that communication will be via L2 but if it goes to the BU port it should drop due to the wrong vlan while if it goes to the PROD port then communication is good. But, will there be any time where it is communicating via the PROD port and then switch to the BU port?


Please ask questions if I need to clarify.


thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ropethic Mon, 08/18/2008 - 07:47
User Badges:
  • Silver, 250 points or more

Try sniffing with no capture filters. Save file

and then create a display filter. Also, the application may be exchanging information via IP.

Giuseppe Larosa Mon, 08/18/2008 - 12:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Eric,

some notes about what you have written:


1) FTP is TCP/IP so communication is Layer3 but there isn't any network device in the middle.


2) if the PROD ports are in Vlan X and the BU ports are in Vlan Y the switch should be able to deal with the duplicated MAC address because the CAM table has three fields: the MAC address, the port where the MAC has been seen as source address and the Vlan the port is member of (or the vlan tag in case of trunk port).However, in this case you have the same MAC address on different ports of the same switch.

I agree that using different MAC addresses would be better.


3) you can use SPAN for this defining as source ports the two PROD ports and the destination is the port where you connect you sniffer.

you can even have a second session for the BU ports sending traffic to a second destination port (if you can use two sniffers or PCs).


reference link for SPAN


http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml


Hope to help

Giuseppe


Actions

This Discussion