I am seeing network traffic to/from hosts other than the one I am monitoring from without the use of a monitor port. For example, I can see all of our web server traffic for any host connected to the same switch (2950 and 3550 switches). This happens on every Cisco switch that I have tested it on so I am quite sure that the MAC table is stable. Anyone else seeing this behavior?
I expect to see broadcast, multicast, and traffic with a source and destination MAC or IP from the sniffing host without using a monitoring port on the switch. Without a monitor port, I am seeing network traffic with either source or destination of OTHER hosts on the same switch as the sniffing host. As I said in my initial post, I see our web server's traffic...not just the traffic that I expect to see but network traffic I would not expect to see unless I am monitoring. It is not just headers; I see the entire data payload. On one of the switches that I tested this on, I could read the entire email message sent to our management server which is located on the same switch as the network sniffer (no monitor port in this example either).
When a packet is flooded, you should expect that you can see all of it. Unknown traffic is traffic for which the mac-address is not yet learned by the switch. The first packet that a new host transmits is an example of this. This kind of traffic is always flooded. All switches update their mac-tables with it's source address. Remember that the mac-table is local, every switch in the network has it's own.
On VLAN trunks, things are a bit more complicated.
When for example you have a native vlan mismatch somewhere in your network, this may cause the leaking of packets from one vlan into another. These packets will always be flooded as their source/destination is never properly learned. Some other topology issues may cause similar results.
I am certain that this is not unknown traffic. I am certain that it is not an issue with my MAC table as I do not see arp requests that go unanswered nor am I seeing an excess of arp requests. We could possibly have native vlan mismatches, however, I see this issue at our data center which is a very stable and simple network topology and it seems to be intra-vlan rather than inter-vlan where the bleedover occurs. Because of this, I am inclined to believe that the interface bleedover is occuring in the switch backplane. From a security standpoint, this intra-vlan bleedover has me concerned. Thoughts?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...