From: Jon Hart (jhart@spoofed.org)
Date: Sat Oct 14 2006 - 16:48:03 EDT
On Sat, Oct 14, 2006 at 07:52:27AM -0400, Michael Scheidell wrote:
> > My question is, has anyone seen a situation where the same
> > broadcast behavior occurs, but the CAM table itself is not
> > overloaded and there is no good reason for entries to be
> > expiring? Furthermore, even if the entries were expired, has
> > anyone encountered situations (malicious or otherwise), where
> > a given port will receive traffic outside of its own L2?
>
> Broadcasts are, well, broadcasts. They have to broadcast. All
> broadcasts are passed to all ports.
Sorry, I shouldn't have used the term broadcast. What I'm seeing is
snippets of conversations going on between another hosts that I should
certainly not be seeing. This could be conversation between two other
hosts on the same network as I am, other hosts on different VLANs, or
a "local" host and some host somewhere out on the internet. The port
I have access to is confirmed to be nothing special, and identical to
what any other host on the network would have.
> In fact, you will always see broadcasts, ipx, multicast, vrrp, CDP and
> other type messages on all ports.
Well, yes. I certainly see that, but I *expect* to see that.
> Also, is it a Cisco? Or some other box? Some 'switches' are just cheap
> hubs (ok, expensive hubs) and if you have some 10mb and some 100mb
> traffic, it can act as a hub.
This is all Cisco.
Thanks,
-jon
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:12 EDT