From: Jan Rottschaefer (jrott@online.de)
Date: Mon Oct 16 2006 - 04:13:59 EDT
On Friday 13 October 2006 18:32, Jon Hart wrote:
hi jon,
i had a similar situation in a switched environment. certain frames to a
particular server where to be seen at every port on all switches within the
same vlan. the reason was that the server was attached with several cards for
loadbalancing. arp request for the virtual address where answered by each
server card but when the client send ip packets using the learned virtual mac
the server cards replied using their physical address which is stupid since
the vmac was never used as a source and so it could not be learned by the
switches. as a result frames that had the vmac as a destination where always
flooded...also a nice example on how to turn expensive network equipment into
a hub :)
regards
jan
> Greetings,
>
> I've got a situation here that I can't quite figure out. It is well
> known that it is possible to cause a switched network to act like an
> unswitched network by flooding the CAM table. There are countless tools
> and documents out there that cover the offensive and defensive measures
> related to this issue.
>
> While this isn't Cisco's official documentation on this issue,
> http://xrl.us/r8k7 says:
>
> "Content-addressable memory (CAM) overflow: A CAM table is used to
> determine where to direct incoming frames depending on which port the
> incoming MAC address came from. When the CAM receives a frame with an
> unknown destination, the proper procedure is to flood frames within
> the acceptable Layer 2 domain (the proper VLAN). Hardware and
> software tools are available (some for free), that can flood a switch
> with MAC addresses. Once the CAM table limit is exceeded, switches
> behave differently depending on the brand of the switch."
>
> My question is, has anyone seen a situation where the same broadcast
> behavior occurs, but the CAM table itself is not overloaded and there is
> no good reason for entries to be expiring? Furthermore, even if the
> entries were expired, has anyone encountered situations (malicious or
> otherwise), where a given port will receive traffic outside of its own
> L2?
>
> Thanks,
>
> -jon
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016000
>00008bOW
> ------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:12 EDT