cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
4
Replies

Leaking switches

mank
Level 1
Level 1

In our net we have approx. 30 C2924-XL and 10 C3524-XL switches, and one layer 3 (C4908G), all in one extended star topology. (No hub's)

If I have a Sniffer on a workstation in one end of the net, I can se traffic from the other end of the net, eg. web-trafic, mail and so on. Even when the net is at low use.

How can that be?

We have no VLAN, there is not many MAC-addresses in the switches, all the 2900 and 3500 have new IOS.

Dose anyone have an idéa how to solve this problem?

4 Replies 4

e.schliesing
Level 1
Level 1

sure, you have a few choices, depending on your needs. What you are seeing is Broadcast traffic I believe. with no vlans (cept default vlan 1, Im assuming) all of your devices are percieved to be on the same wire, so broadcasts for SMTP, www, etc are all heard by each device ON that wire. I'd suggest VLANing, and subnetting to create smaller boardcast domains. Create each switch as it's own vlan, connect that vlan to the core 4908, define that VLAN as an interface at layer 3, have that IP as the default gateway for each particular vlan, and default route those IPs to your border router. You can get WAY more simple, or complex, depending on your needs, but Im recommending is considered the "collapsed core" network topology, per Cisco, I think..... now if I could just learn how to spell IP....

Eric

Thank you for your anwser.

But the traffic I see it's not just broadcast, I can eg. see singel conection between a workstation on our net (do not have to be on the same segment of the star) downloading a page on a external web-server, or someone in the net checking there mail at our mail-server. And this I can do from any workstation (that have a sniffer-program) in the net.

I can't see all trafic but very much.

And this is not just an security matter, if someone is downloading a lot from eg. Kaza, Gnutella... then this traffic is going to all (I don't knew if it's all but many) switches and is a great burden to the net. And it's not broadcast nor multicast.

I'll bee grateful for any idéa.

/Magnus B

If you truly had a star network, with switches it would be IMPOSSIBLE to see other than broadcast traffic.

My bet is that somewhere in your network you have loops. I've seen this happen especially where there are hundreds of PC's and the wiring maybe old and sloppy. (or the users patch themselves!)

All it takes is one or two mis-placed patch cords. Check out your wiring, switch by switch and patch panel by patch panel.

bill.higgins
Level 1
Level 1

My guess is that the eth port on the swich that you connect your PC is configured as a span port, and because you can see everything in the network, that all the other switch ports on all the switches are also configged as span ports. Most likely, when the network was setup, someone set them up this way, perhaps for testing, perhaps out of ignorance. Please post a reply when you figure this out.