Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
4
Replies

IP traffic/no monitor port

j.langton
Level 1
Level 1

‎12-19-2005 09:07 AM - edited ‎03-03-2019 01:10 AM

I am seeing network traffic to/from hosts other than the one I am monitoring from without the use of a monitor port. For example, I can see all of our web server traffic for any host connected to the same switch (2950 and 3550 switches). This happens on every Cisco switch that I have tested it on so I am quite sure that the MAC table is stable. Anyone else seeing this behavior?

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎12-19-2005 09:22 AM

You are probably seeing "unknown" traffic.

This type of traffic is typically flooded on all ports within a vlan. I do not know if what you see is really a massive amount but in a large network there typically is quite some unknown traffic.

Besides B'cast you might also see multicast traffic.

Regards,

Leo

0 Helpful

j.langton
Level 1
Level 1
In response to lgijssel

‎12-19-2005 10:03 AM

I expect to see broadcast, multicast, and traffic with a source and destination MAC or IP from the sniffing host without using a monitoring port on the switch. Without a monitor port, I am seeing network traffic with either source or destination of OTHER hosts on the same switch as the sniffing host. As I said in my initial post, I see our web server's traffic...not just the traffic that I expect to see but network traffic I would not expect to see unless I am monitoring. It is not just headers; I see the entire data payload. On one of the switches that I tested this on, I could read the entire email message sent to our management server which is located on the same switch as the network sniffer (no monitor port in this example either).

0 Helpful

lgijssel
Level 9
Level 9
In response to j.langton

‎12-19-2005 10:29 AM

When a packet is flooded, you should expect that you can see all of it. Unknown traffic is traffic for which the mac-address is not yet learned by the switch. The first packet that a new host transmits is an example of this. This kind of traffic is always flooded. All switches update their mac-tables with it's source address. Remember that the mac-table is local, every switch in the network has it's own.

On VLAN trunks, things are a bit more complicated.

When for example you have a native vlan mismatch somewhere in your network, this may cause the leaking of packets from one vlan into another. These packets will always be flooded as their source/destination is never properly learned. Some other topology issues may cause similar results.

Regards,

Leo

0 Helpful

j.langton
Level 1
Level 1
In response to lgijssel

‎12-19-2005 10:58 AM

I am certain that this is not unknown traffic. I am certain that it is not an issue with my MAC table as I do not see arp requests that go unanswered nor am I seeing an excess of arp requests. We could possibly have native vlan mismatches, however, I see this issue at our data center which is a very stable and simple network topology and it seems to be intra-vlan rather than inter-vlan where the bleedover occurs. Because of this, I am inclined to believe that the interface bleedover is occuring in the switch backplane. From a security standpoint, this intra-vlan bleedover has me concerned. Thoughts?

0 Helpful
Customers Also Viewed These Support Documents