From: Florian Osses (florian.osses@wtnet.de)
Date: Mon Oct 16 2006 - 16:47:32 EDT
Sorry for my simple question.
But what kind of broadcast do you discover?
Perhaps you have a loop in your network, or even a sort of spanning tree
(double connected wire to One switch) which spams your network?!
Florian Osses
Ben Nell wrote:
> Is all traffic being "broadcasted"? Can you narrow it down to a
> specific host that's common to all of the traffic, perhaps a gateway
> device? If you're doing multicasting on a gateway device
> (multicasting using unicast addressing), you would get the type of
> behavior that you're describing. I've seen this exact situation
> before, actually.
>
> BN
>
> On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
>> Greetings,
>>
>> I've got a situation here that I can't quite figure out. It is well
>> known that it is possible to cause a switched network to act like an
>> unswitched network by flooding the CAM table. There are countless tools
>> and documents out there that cover the offensive and defensive measures
>> related to this issue.
>>
>> While this isn't Cisco's official documentation on this issue,
>> http://xrl.us/r8k7 says:
>>
>> "Content-addressable memory (CAM) overflow: A CAM table is used to
>> determine where to direct incoming frames depending on which port the
>> incoming MAC address came from. When the CAM receives a frame with an
>> unknown destination, the proper procedure is to flood frames within
>> the acceptable Layer 2 domain (the proper VLAN). Hardware and
>> software tools are available (some for free), that can flood a switch
>> with MAC addresses. Once the CAM table limit is exceeded, switches
>> behave differently depending on the brand of the switch."
>>
>> My question is, has anyone seen a situation where the same broadcast
>> behavior occurs, but the CAM table itself is not overloaded and there is
>> no good reason for entries to be expiring? Furthermore, even if the
>> entries were expired, has anyone encountered situations (malicious or
>> otherwise), where a given port will receive traffic outside of its own
>> L2?
>>
>> Thanks,
>>
>> -jon
>>
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>>
>> ------------------------------------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT