Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

IP traffic/no monitor port

I am seeing network traffic to/from hosts other than the one I am monitoring from without the use of a monitor port. For example, I can see all of our web server traffic for any host connected to the same switch (2950 and 3550 switches). This happens on every Cisco switch that I have tested it on so I am quite sure that the MAC table is stable. Anyone else seeing this behavior?

4 REPLIES

Re: IP traffic/no monitor port

You are probably seeing "unknown" traffic.

This type of traffic is typically flooded on all ports within a vlan. I do not know if what you see is really a massive amount but in a large network there typically is quite some unknown traffic.

Besides B'cast you might also see multicast traffic.

Regards,

Leo

New Member

Re: IP traffic/no monitor port

I expect to see broadcast, multicast, and traffic with a source and destination MAC or IP from the sniffing host without using a monitoring port on the switch. Without a monitor port, I am seeing network traffic with either source or destination of OTHER hosts on the same switch as the sniffing host. As I said in my initial post, I see our web server's traffic...not just the traffic that I expect to see but network traffic I would not expect to see unless I am monitoring. It is not just headers; I see the entire data payload. On one of the switches that I tested this on, I could read the entire email message sent to our management server which is located on the same switch as the network sniffer (no monitor port in this example either).

Re: IP traffic/no monitor port

When a packet is flooded, you should expect that you can see all of it. Unknown traffic is traffic for which the mac-address is not yet learned by the switch. The first packet that a new host transmits is an example of this. This kind of traffic is always flooded. All switches update their mac-tables with it's source address. Remember that the mac-table is local, every switch in the network has it's own.

On VLAN trunks, things are a bit more complicated.

When for example you have a native vlan mismatch somewhere in your network, this may cause the leaking of packets from one vlan into another. These packets will always be flooded as their source/destination is never properly learned. Some other topology issues may cause similar results.

Regards,

Leo

New Member

Re: IP traffic/no monitor port

I am certain that this is not unknown traffic. I am certain that it is not an issue with my MAC table as I do not see arp requests that go unanswered nor am I seeing an excess of arp requests. We could possibly have native vlan mismatches, however, I see this issue at our data center which is a very stable and simple network topology and it seems to be intra-vlan rather than inter-vlan where the bleedover occurs. Because of this, I am inclined to believe that the interface bleedover is occuring in the switch backplane. From a security standpoint, this intra-vlan bleedover has me concerned. Thoughts?

196
Views
0
Helpful
4
Replies
CreatePlease to create content