Re: Ethernet switch flooding packets?

Hi Glen,

Thanks for your reply. The number of Ethernet hosts is around 5K on
the primary VLAN, but each switch is managed (via a separate VLAN, of
course) so will have it's own MAC address. I don't know how many
other VLANs there are are or how many hosts each has.

Interestingly, I've just done another capture (it's about 10:15am, so
a peak time on the network; yesterday I did it around 6.50pm) and I'm
seeing no "foreign" unicasts *whatsoever* - very peculiar.

Kind regards,

Anwar

Glen Herrmannsfeldt wrote:

anwarmahmood38@xxxxxxxxxxxxxx wrote:
(snip)

Glen, I acknowledge 10 frames/sec wouldn't be considered a "flood", I
was merely using the Ethernet switching terminology - if a switch
doesn't know which individual port to push a frame out to, it will
"flood" them to all ports. I've only done a short capture at one
location at one time, so the magnitude of the problem is certainly
inconclusive.

Yes, I was just trying to indicate the scale involved. It would
sound funny to call it a trickle in the ethernet standards.

Patrick, I don't think this is a switch address timeout. In the
frames that I saw, I saw some packets from my PC to a server on the
other end of a router, and the corresponding replies. Hence "my"
switch has "learnt" that my MAC address is on my port, and the
router's MAC address is on the uplink port. If I exchanged no more
traffic for the timeout period, then my address would of course
timeout and I would be flooded.

Yes, but so are all the other ports. Note that the switch, by design,
doesn't assume one host per port, even though, as you say, it isn't
an uplink port. When the MAC address times out for another port,
even the uplink port, those packets are sent to you.

HOWEVER, just a few packets
(milliseconds) later, the switch is forwarding unicast packets on my
port that aren't for me. I think this is because
- the switch as 8K MAC address table.
- every PC on each port gets added to the table when it transmits (as
it should)
- however, because there are many thousands of MAC addresses on the
Ethernet fabric, they are all being added as belonging to the "uplink"
port

Are there more than 8000 on the subnet (or VLAN)? In the
first post, it sounds closer to 1000 than 8000.

- these are replacing the entries in the MAC address table about
which PCs are on the "local/edge" ports
- this is happening so fast that I'm recieving unicasts addressed
to other MAC addresses on my computer, even though I just transmitted
milliseconds ago

Putting your MAC in the cache doesn't stop others from being
sent to you. Only putting the other host in the MAC cache
for a different port will do that. As I said, one way that
happens is if the host goes down and stops replying. Until
it is out of the ARP cache, the packets will still be sent.
When it is out of the ARP cache, ARP broadcasts will be sent,
and you will see those.

The real answer is that if you really have 8000 hosts then yes,
you should go for L3 switches or routers to subnet the network.
Many people like to keep it below 250 (for a convenient netmask)
but for reasonably traffic levels and speeds 1000 is probably fine.
Maybe 2000, but not 8000.

The reason for the change is not that a few packets leak through,
but that it really is too crowded.

-- glen
.

Relevant Pages

  • RE: Exploit code for IP Smart Spoofing
    ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
    (Bugtraq)
  • RE: mac duplication
    ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ...
    (Vuln-Dev)
  • Re: Network scanning
    ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ...
    (Security-Basics)
  • Re: Sniffing Internet Traffic
    ... >NIC's MAC to the new port so it can pass traffic. ... >for security because MITM ARP attacks are futile as the switch already ... >I don't know a whole lot about cable modems, but my guess is that, like ...
    (Security-Basics)
  • RE: ARP Spoof Question
    ... Most hosts send gratuitous arp when they boot ... >> now Node A has 2 different MAC for the same IP. ... The management side of the switch (snmp, ...
    (Security-Basics)