Ww just had our switch replaced with a pair of 3750G's, old and new all
have 48 ports, so we now have some open ports.... Anyway, my manager was
looking at issues yesterday, and discovered that for a while, off and on,
from several systems on the new switches, he could see traffic between
*other* servers and systems elsewhere in the building... which, of course,
shouldn't be possible with a switch.
He tells me that some switches, if they were overwhelmed with traffic,
would give up and go into hub mode, but he's under the impression that was
written out of the firmware years ago, while these are new switches.
Anyone run into this?
mark
On Wed, Feb 6, 2013 at 10:01 AM, <m.roth at 5-cent.us> wrote:> Ww just had our switch replaced with a pair of 3750G's, old and new all > have 48 ports, so we now have some open ports.... Anyway, my manager was > looking at issues yesterday, and discovered that for a while, off and on, > from several systems on the new switches, he could see traffic between > *other* servers and systems elsewhere in the building... which, of course, > shouldn't be possible with a switch. > > He tells me that some switches, if they were overwhelmed with traffic, > would give up and go into hub mode, but he's under the impression that was > written out of the firmware years ago, while these are new switches. > > Anyone run into this?A switch will forward to all ports until it learns the mac address (from return traffic) of the correct destination port. So a little bit of traffic leaking to the wrong place within a broadcast domain is fairly normal. A lot means you have a broken switch or one that can't handle the size of the MAC address table it needs. Or you have some strange traffic (udp w/no return packets) or firewalling that keeps the switch from ever seeing the target MAC and restricting the destination to the associated port. Or someone is spoofing the MAC to confuse the switch so they can sniff more than otherwise. -- Les Mikesell lesmikesell at gmail.com
On Wed, Feb 6, 2013 at 11:01 AM, <m.roth at 5-cent.us> wrote:> Ww just had our switch replaced with a pair of 3750G's, old and new all > have 48 ports, so we now have some open ports.... Anyway, my manager was > looking at issues yesterday, and discovered that for a while, off and on, > from several systems on the new switches, he could see traffic between > *other* servers and systems elsewhere in the building... which, of course, > shouldn't be possible with a switch. > > He tells me that some switches, if they were overwhelmed with traffic, > would give up and go into hub mode, but he's under the impression that was > written out of the firmware years ago, while these are new switches. >I suppose anything is possible, but I've never heard or seen that happen first hand. If one of your hosts intermittently loses connectivity, the switch will broadcast that traffic to all ports because it can't find the host's MAC address. (And what Les said about the switch broadcasting traffic until it learns MAC addresses.) Last week we had a co-located customer participating in a DOS attack and we made the mistake of shutting off the port he was on. Wouldn't you know it that the inbound traffic was broadcast out all operational ports on that switch because the switch couldn't locate the host. That didn't seem to cause any problems, but it did make the switch port graphs pretty. ;)> > Anyone run into this? > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- ---~~.~~--- Mike // SilverTip257 //
I know y'all have been waiting with baited breath to hear the latest: the
group that handles it has agreed that one of the pair is bad. My manager
tells me that depending on when they look at it, they get anomalous
results, such as an increment-only timer going *down*.
They have a case opened with Cisco.
mark