On Fri, Nov 16, 2007 at 07:54:53AM -0500, bmcmanus wrote:
>
> There was no port mirroring active on the new switch. This is a
> flat class B network (Note: we are working to correct
> that).
How many hosts on that flat network? I'm sure you're not using the
whole B-net?
> My monitoring PC address was in a different subnet.
Different subnet, but still in the same vlan? Or was it's port
in the same vlan as all the hosts from the B-net?
> Disregarding the security implications (according the the Customer's
> IS tech, the owners of the two machines were in
> separate departments, and there was no reason for them to be
> communicating the information found in the packets), I
> don't understand how I could even see this info.
What protocol did you see?
> Assuming that something happened to cause a switch to fall into
> hub mode, then it would have needed to happen on at
> least two switches (including my new switch),
If you have many hosts on the net, you might have ran out of space
on the forwarding database on the switches. What kind of switches
are they and do you know how many mac-address entries they can
handle (per vlan)?
> and I would have expected to see collisions in the high traffic
> environment around the core switch. None were captured.
I take it that all ports between switches are in full-duplex
mode. If there is congestion in the network you wouldn't see
any collisions, but Packet Drops/Discards. Did you check those
too?
> Any ideas on how those packets appeared at a remote switch port?
Well, my first guess is overloaded fdb-tables as explained above.
That would make the switches flood traffic for which it does not
have an antry in it's fdb.
Cheers,
Sake
