RE: [Ntop] Traffic not addressed to me

Thu, 09 Jun 2005 09:23:47 -0700

--On Tuesday, June 07, 2005 6:24 PM -0500 Burton Strauss <[EMAIL PROTECTED]> wrote: 


if a switch is sending you bogus
traffic, that's a problem with the switch (probably overflowed it's MAC
address tables - either that or it's seen the same address on multiple
ports - stuff like that causes a switch to operate as a hub so it doesn't
lose traffic - it's your problem on the device end to throw away junk).


I got this reply from the hoster:


Okay, now it doesn't look so strange. All the pieces are working as they
should.

Let me try to explain what's happening. First, they are seeing ARP
requests and broadcasts for different networks on the same VLAN because
there are five different subnets sharing that VLAN (also called a bridge
group). That's not unusual.

BVI2 is up, line protocol is up
Internet address is 66.28.71.17/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Secondary address 66.28.14.49/28
Secondary address 66.28.238.1/27
Secondary address 66.28.23.65/26
Secondary address 38.113.32.1/24

I hope that makes sense. Now, the next one is going to be a bit more
difficult to explain. I need to start with a short explanation of how a
switch decides how to forward frames. When a switch first starts up, it
doesn't know anything about how to send frames to the devices connected
to it. It learns by watching the incoming frames and building a table of
MAC addresses associated with each port. If the switch does not know how
to get to a particular device (by its MAC address), then it sends it out
every port. This is called Unicast Flooding. Another case where the
frames are sent out every port is when the frame is a broadcast.

The table that is built has a timeout value, it is usually 300 seconds.
So, if the switch hasn't seen any frames from that device for 5 minutes,
it does a Unicast Flood on any frames sent to it.

So, that appears to be what's happening. The switch is not seeing any
packets from that device for over 5 minutes, so it drops it from the
table and does the Unicast Flood.


_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop






















					Reply via email to