I have had a question from our Linux Admin about him seeing traffic not destined for his server passing the NIC on his server and he has concerns.
He believes that as it was a switched network his server should only be seeing traffic destined for itself.
This is not a major issue but has got me thinking.
From my knowledge I know that the server will see all broadcast / ARP / STP traffic within it's vlan.
The dump he has provided from nmap on the server with a filter for broadcast shows other converstaions that he does not believe should be there. From my knowledge this appears to be ack packets mainly and no data.
Can anyone provdide any information to make this issue clearer?
What traffic should be seen on the NIC port of a server in a vlan - how can this be reduced - access list on the port? Create smaller vlans?
For information the building this server is in is in one big vlan with about 250 nodes, the server is plugged into a 3750 stack of 6 switches.
NMAP dump below
root@SERVER1 ~]# tcpdump not ip broadcast and not ether broadcast and not host 10.10.10.4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:37:23.000802 802.1d config 8001.00:1b:8f:62:f9:00.8116 root 8001.00:12:da:df:ac:00 pathcost 19 age 2 max 20 hello 2 fdelay 15
17:37:23.275362 IP lstavs001.sabams > jthdsk3066.: S 3509041410:3509041410(0) win 65535 <mss 1460,nop,nop,sackOK>
17:37:23.277007 IP lstavs001.dicom-iscl > jthdsk3055.43130: S 1451384428:1451384428(0) win 65535 <mss 1460,nop,nop,sackOK>
17:37:23.384040 IP lstavs001.dicom-tls > jthdsk1072.43130: S 2181582281:2181582281(0) win 65535 <mss 1460,nop,nop,sackOK>
17:37:23.710285 IP lstavs001 > jthdsk1185.43130: S 1681256111:1681256111(0) win 65535 <mss 1460,nop,nop,sackOK>
17:37:24.150295 IP lstavs001.> jthdsk0040.43130: S 3866302647:3866302647(0) win 65535 <mss 1460,nop,nop,sackOK>
Re: What traffic should I see on a switched network?
For the sake of simplicity, let's not talk about VLANs and assume that the entire switch is placed in a single VLAN.
A switch will flood all multicast and broadcast frames as well as unicast frames with unknown destination through all ports (except the incoming port). It is therefore normal to see frames that are not destined to a particular station.
An asymmetrical routing can result in flooding in a switched network: if a route from A to B is different than the route from B to A, switches on each particular route see only an unidirectional flow and cannot determine the destination MAC address, as the flow in the opposite direction takes a different path. As a result, the frames of both these flows may be flooded through other ports. This option should be investigated in your network.
Also, the time needed for a switch to store newly learned MAC address into its MAC address table is longer that the time to switch a frame. It is normal to see several frames of a bidirectional conversation before the switch stores the MAC addresses into its hardware tables and starts using them.
It has to be stressed that a switch is not primarily a security device, although - as a result of its operation - it increases the security somewhat. It must be expected that under circumstances, frames will be flooded to all ports because it is a normal part of a switch operation. Your Linux Admin should be aware that it is not appropriate to expect that a switch will provide perfect flow isolation. The only way to really secure network communication is to use proven cryptographical methods.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...