RE: Network Configuration Question?

["Naman Latif" <naman.latif () inamed com>]

Whenever the switch receives a packet for which it doesn't find the destination mac address in its "forwarding 
database", it sends that packet to all Ports in that VLAN. These are known as "unknown unicast" messages. You probably 
are seeing those packets.

One way to block this is to have the ports configured to block these packets by using "port block unicast" however I 
don't think this would work out well in most scenarios.

I would suggest moving all your "Secure Machines" into a different VLAN and then use a Router (or RSM) to route between 
VLANS.

Regards \\ Naman


> -----Original Message-----
> From: netsec novice [mailto:netsec9 () hotmail com] 
> Sent: Tuesday, November 05, 2002 8:14 AM
> To: ilyte () alias666 freeserve co uk; security-basics () securityfocus com
> Subject: Re: Network Configuration Question?
>
>
> I recently saw similar behaviour running tcpdump on my 
> workstation that is 
> attached to a Cisco catalyst switch.  I would be interested 
> to find any 
> answers myself.
>
>
>
>
>
>
> > From: "Ian Lyte" <ilyte () alias666 freeserve co uk>
> > To: <security-basics () securityfocus com>
> > Subject: Network Configuration Question?
> > Date: Mon, 4 Nov 2002 16:58:37 -0000
> >
> > Hi All,
> >
> >     On a corporate machine, I was having trouble removing 
> the TinyBar 
> > scrote-ware that had installed itself surreptitiously onto 
> my machine. 
> > As part of the process of tracking down how it was running, I 
> > downloaded a small packet sniffer and ran it so I could attempt to 
> > trace the outgoing target address of the pop-up window.
> >
> >     We are on a 100mbs switched network (I believe switched but ..).
> >
> >     Now imagine my surprise when I could pick up traffic 
> from around 6
> > other
> > machines, including HTTP, POP, SMTP and all the associated passwords.
> >
> >     Some of the machines were geographically close to me in 
> the office 
> > but not all. How could this happen on a switched network - 
> has one of 
> > the switches fallen over into broadcast mode or something? 
> If so how do 
> > I go about determining (remotely) why/how it has fallen 
> over, who else 
> > is on the segment, and what other avenues do I have to explore?
> >
> >     Thanks in advance
> >
> > Ian
>
>
> _________________________________________________________________
> Unlimited Internet access for only $21.95/month.  Try MSN! 
> http://resourcecenter.msn.com/access/plans/2monthsfree.asp