×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP traffic/no monitor port

Unanswered Question
Dec 19th, 2005
User Badges:

I am seeing network traffic to/from hosts other than the one I am monitoring from without the use of a monitor port. For example, I can see all of our web server traffic for any host connected to the same switch (2950 and 3550 switches). This happens on every Cisco switch that I have tested it on so I am quite sure that the MAC table is stable. Anyone else seeing this behavior?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Mon, 12/19/2005 - 09:22
User Badges:
  • Red, 2250 points or more

You are probably seeing "unknown" traffic.

This type of traffic is typically flooded on all ports within a vlan. I do not know if what you see is really a massive amount but in a large network there typically is quite some unknown traffic.

Besides B'cast you might also see multicast traffic.


Regards,

Leo

j.langton Mon, 12/19/2005 - 10:03
User Badges:

I expect to see broadcast, multicast, and traffic with a source and destination MAC or IP from the sniffing host without using a monitoring port on the switch. Without a monitor port, I am seeing network traffic with either source or destination of OTHER hosts on the same switch as the sniffing host. As I said in my initial post, I see our web server's traffic...not just the traffic that I expect to see but network traffic I would not expect to see unless I am monitoring. It is not just headers; I see the entire data payload. On one of the switches that I tested this on, I could read the entire email message sent to our management server which is located on the same switch as the network sniffer (no monitor port in this example either).

lgijssel Mon, 12/19/2005 - 10:29
User Badges:
  • Red, 2250 points or more

When a packet is flooded, you should expect that you can see all of it. Unknown traffic is traffic for which the mac-address is not yet learned by the switch. The first packet that a new host transmits is an example of this. This kind of traffic is always flooded. All switches update their mac-tables with it's source address. Remember that the mac-table is local, every switch in the network has it's own.

On VLAN trunks, things are a bit more complicated.

When for example you have a native vlan mismatch somewhere in your network, this may cause the leaking of packets from one vlan into another. These packets will always be flooded as their source/destination is never properly learned. Some other topology issues may cause similar results.


Regards,

Leo

j.langton Mon, 12/19/2005 - 10:58
User Badges:

I am certain that this is not unknown traffic. I am certain that it is not an issue with my MAC table as I do not see arp requests that go unanswered nor am I seeing an excess of arp requests. We could possibly have native vlan mismatches, however, I see this issue at our data center which is a very stable and simple network topology and it seems to be intra-vlan rather than inter-vlan where the bleedover occurs. Because of this, I am inclined to believe that the interface bleedover is occuring in the switch backplane. From a security standpoint, this intra-vlan bleedover has me concerned. Thoughts?

Actions

This Discussion