switch vulnerability

jmarwan76 · ‎03-18-2005

i have a cisco switch (catalyst 2900XL) connected to a core switch (catalyst 4500).

using a sniffer (ethereal), I'm seeing HSRP traffic (and other unicast traffic like telnet) from a station connected to a port of the switch (cat2900XL).

this port is not a SPan or monitor port.

I have two questions:

1- hsrp is a multicast traffic. why destination mac-address is not a broadcast mac address : ffff.ffff.ffff

2- even i change the switch with hp procurve 2524 or baystack 450-24T,

for cisco cat 2900XL i have blocked flooded unicast and multicast packets.

But,i still receive unicast packet that is destined for other stations.

is this normal Behavior for a "switch" ?

lgijssel · ‎03-18-2005

The broadcast adress ffff.ffff.ffff is reserved for transmissions that need to reach all nodes on the (sub)net. Multicast traffic is only destined to members of the multicast-group. For hsrp, these are the standby neighbors.You can have many different multicast groups on a network. Routing protocols loke ospf & eigrp also use multicast packets for their updates. This relieves other hosts from the burden of procesing these packets.

The reason why you are seeing unicast packets on a switch port is simple also: unicast destinations that are not in the mac-adress table are flooded while the switch does not yet know to which specific port to direct them. as soon as the address is "learned", the following packets are correctly forwarded. A mac address can only be learned when the host owning the mac sends a response.

Regards,

Leo

jmarwan76 · ‎03-18-2005

ok,. I agree with you

but using a "switchport block unicast" command

in this case must resolve the problem. yes?