network analyzer sees all traffic on the switch

Unanswered Question
Sep 29th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standaardtabel; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

A client of us is having a very strange issue. They see a very load (initially just by watching the LEDs en got a software analyzer run on it. Now a software analyzer on a single port, even in promiscuous mode should only get its local data on a single switch port. The switch should only deliver local data to that port (thats why its switch, not a hub yes?) But to our surprise the analyze sees all the traffic, even the traffic that should get on to that specific switch, let a lone that port on the switch. It looks like everything is working like a big hub.


Hereunder is a screenshot of the installed network analyser:

v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} /* Style Definitions */ table.MsoNormalTable {mso-style-name:Standaardtabel; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}


analyser.jpg


Can anyone assist in finding where this is going wrong?


units in use:


SGE2000-EU

SRW224G4-EU

SRW224G4P-EU

SRW248G4-EU


Kind Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Hornstein Wed, 10/06/2010 - 04:43
User Badges:
  • Gold, 750 points or more

Hi RONVER-Systems,


I cannot see the first image, just doesn't want to come up.  Knowing the behavior of a switch I can imagine "broadcast' traffic being received on each port.


It would be more relavvnt if you could use wireshark (a freeware 'sniffer' program)  and try the same capture again and post the capture file as a .cap file.


But you obviously will see broadcast traffic arrive at each switch port. The switches will route at Layer 2 any unicast traffic.  But lets check out the capture file you send in again.


Sorry for this bother, I just can't see the first image you posted.


regards Dave

mj.jimenez Thu, 03/31/2011 - 07:17
User Badges:

Hi,


I am getting the same response.... as soon as I configure the vlan in a port, the swicth seems to create a hub per vlan... and if you open a TAC with this problem, you only get, rebuild all the configuration from the beginning and let us know if this happened again.


Have someone solve this issue?


Thanks in advance.

David Carr Thu, 03/31/2011 - 11:38
User Badges:
  • Silver, 250 points or more

Mr. Jimenez,


Vlans are separate broadcast domains.  So if you have ports in that vlan it in a sense is a hub but does not allow collisions like a hub.  Each port is a collision domain.


So you will get broadcast, multicast traffic on that vlan for all ports associated on it.

mj.jimenez Fri, 04/01/2011 - 02:52
User Badges:

Hi,


I understand what a vlan domain is, my problems is when a server produce traffic, all this traffic is replacated to all the ports of the same vlan.... like a hub does. I thought the SGE was a switch, and the traffic would go only to the destination port.


Regards

David Carr Fri, 04/01/2011 - 05:28
User Badges:
  • Silver, 250 points or more

Yeah,


Anycast traffic or traffic directed to a specific host, it should not be seen by everyone on the floor.  However Multicast and Broadcast traffic will be seen by everyone on that vlan.


If your seeing traffic directed to someone other than yourself  and your receiving it.  Maybe the mac address table is not maintaining the mac table and flooding traffic to populate the mac table.