Re: Seeing unexpected skinny heartbeats when sniffing IP phone's network traffic

In article <1125594195.271767.186100@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
SplkBarney <david.barnish@xxxxxxxxxxxx> wrote:
:The latest theory on this is that it is Unicast Flooding. This is
:supposedly a normal occurance when the switches MAC table gets filled
:up. When the switch has a packet for a MAC, but can't find the MAC in
:its table, it sends it out all its ports; not as a broadcast packet,
:but essentially a broadcast because it is sent out every port. We have
:looked at the MAC table in both switches and they are far from being
:full, so I don't know about this being the cause.

That same kind of flooding occurs when the tables are not full but
the MAC is unknown. Since unmanaged switches do not have IP addresses,
they can't buffer packets for unknown hosts, send out ARP requests,
and receive replies that implicitly tell them which port to use
[by seeing the destination MAC as a packet source on that port.]
Thus unmanaged switches send unknown MACs to every port in the same
VLAN (and very few unmanaged switches have more than one VLAN!),
expecting that eventually there will be a reply and that it will learn
the appropriate port at that time.

This algorithm does not, however, work at all well if you have
asymmetric links -- if the port on which the MAC is seen as the source
is not the port that you have to transmit to in order to reach the MAC,
then packets are going to get lost. Spanning tree helps -some- on
this, but traditional spanning tree is not designed to detect
undirectional links (e.g., broken wire, faulty connector, odd VLANing).

Cisco has a Unidirectional Link Detection Spanning Tree extension;
it is proprietary, though. Cisco is, if I recall, offering to license
it "for low cost", but I don't have the foggiest what Cisco would
consider low cost.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
.

Relevant Pages

  • Re: Strange pings from 127.0.0.1
    ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
    (Security-Basics)
  • Re: How to block a client from DHCP?
    ... server, and compliant operating systems. ... Another option is to use switches that can protect the network based on mac ... My HP2512 switch also can do port isolation ...
    (microsoft.public.windows.server.networking)
  • Re: Network scanning
    ... HP managed switches have this feature too, as a bonus you can also specify ... simultanious MACs on a port, or specify which addresses are allowed. ... Subject: Network scanning ... Most newer switches can lock down how many mac addresses are allowed to ...
    (Security-Basics)
  • RE: Network sniffing on the wire - managed switches
    ... Switches send packets to destination ports based on the ... destination MAC address of the packet, ... MAC address is either YOUR MAC address, ... Network sniffing on the wire - managed switches ...
    (Security-Basics)
  • Re: IP address conflicts
    ... I'm about the 4th or 5th successor to this network. ... > have to go without since we don't have the money for new switches" ... You need to be able to query the mac table in the switch ... > to see what port that address is coming in from. ...
    (freebsd-questions)