From: Can't dig that daddy (cdtdaddy@hotmail.com)
Date: Mon Oct 16 2006 - 17:03:10 EDT
This is a common behaviour with M$ NLB. X-S
Analogously (e.g.: for load balancing) it could be possible that one of
the end-point of the communications you're seeing is using with ARP
replies that contain a MAC address that doesn't match the one used in
it's ethernet frames (i.e.: the one that switches learn).
On dom, 2006-10-15 at 20:03 -0500, Ben Nell wrote:
> Is all traffic being "broadcasted"? Can you narrow it down to a
> specific host that's common to all of the traffic, perhaps a gateway
> device? If you're doing multicasting on a gateway device
> (multicasting using unicast addressing), you would get the type of
> behavior that you're describing. I've seen this exact situation
> before, actually.
>
> BN
>
> On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
> > Greetings,
> >
> > I've got a situation here that I can't quite figure out. It is well
> > known that it is possible to cause a switched network to act like an
> > unswitched network by flooding the CAM table. There are countless tools
> > and documents out there that cover the offensive and defensive measures
> > related to this issue.
> >
> > While this isn't Cisco's official documentation on this issue,
> > http://xrl.us/r8k7 says:
> >
> > "Content-addressable memory (CAM) overflow: A CAM table is used to
> > determine where to direct incoming frames depending on which port the
> > incoming MAC address came from. When the CAM receives a frame with an
> > unknown destination, the proper procedure is to flood frames within
> > the acceptable Layer 2 domain (the proper VLAN). Hardware and
> > software tools are available (some for free), that can flood a switch
> > with MAC addresses. Once the CAM table limit is exceeded, switches
> > behave differently depending on the brand of the switch."
> >
> > My question is, has anyone seen a situation where the same broadcast
> > behavior occurs, but the CAM table itself is not overloaded and there is
> > no good reason for entries to be expiring? Furthermore, even if the
> > entries were expired, has anyone encountered situations (malicious or
> > otherwise), where a given port will receive traffic outside of its own
> > L2?
> >
> > Thanks,
> >
> > -jon
> >
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT