Re: unswitched behavior of a switched network...

[Florian Osses <florian.osses () wtnet de>]

Sorry for my simple question.
But what kind of broadcast do you discover?
Perhaps you have a loop in your network, or even a sort of spanning tree 
 (double connected wire to One switch) which spams your network?!

Florian Osses

Ben Nell wrote:
> Is all traffic being "broadcasted"?  Can you narrow it down to a
> specific host that's common to all of the traffic, perhaps a gateway
> device?  If you're doing multicasting on a gateway device
> (multicasting using unicast addressing), you would get the type of
> behavior that you're describing.  I've seen this exact situation
> before, actually.
>
> BN
>
> On 10/13/06, Jon Hart <jhart () spoofed org> wrote:
> > Greetings,
> >
> > I've got a situation here that I can't quite figure out.  It is well
> > known that it is possible to cause a switched network to act like an
> > unswitched network by flooding the CAM table.  There are countless tools
> > and documents out there that cover the offensive and defensive measures
> > related to this issue.
> >
> > While this isn't Cisco's official documentation on this issue,
> > http://xrl.us/r8k7 says:
> >
> >    "Content-addressable memory (CAM) overflow: A CAM table is used to
> >    determine where to direct incoming frames depending on which port the
> >    incoming MAC address came from. When the CAM receives a frame with an
> >    unknown destination, the proper procedure is to flood frames within
> >    the acceptable Layer 2 domain (the proper VLAN). Hardware and
> >    software tools are available (some for free), that can flood a switch
> >    with MAC addresses. Once the CAM table limit is exceeded, switches
> >    behave differently depending on the brand of the switch."
> >
> > My question is, has anyone seen a situation where the same broadcast
> > behavior occurs, but the CAM table itself is not overloaded and there is
> > no good reason for entries to be expiring?  Furthermore, even if the
> > entries were expired, has anyone encountered situations (malicious or
> > otherwise), where a given port will receive traffic outside of its own
> > L2?
> >
> > Thanks,
> >
> > -jon
> >
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
> >
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
>
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------