[CLUE-Tech] HP ethernet switch UDP broadcast storm

[Nate Duehr]

Jim Ockers wrote:

>We thought about the possibility of a loop but we decided that couldn't
>be the problem because we have spanning tree turned off.
>  
>

Definitely sounds like a loop.  With spanning tree off, the switches 
have no ability to fix the problem themselves.  Spanning tree KILLS 
loops, it doesn't CREATE them.  The logic behind the decision made in 
the above sentence is fundamentally flawed.

Too late now, but next time get a copy of the ARP table from the "core" 
switch before resetting it.  I bet you'll find it had a MAC entry to 
another switch that had an ARP entry for that address pointing right 
back at the core. 

The "bogus packets" the PC was sending could have had their MAC address 
mangled to specifically cause the problem. 

(Perhaps the PC user was doing something silly like ARP hijacking to try 
to sniff traffic or someone else was?)  With spanning-tree turned off, 
your network is vunerable to all sorts of silliness, including the issue 
you mentioned.

It's EXTREMELY rare, but you could also just be darn unlucky and 
actually have two machines with duplicate MAC addresses. 

A span port (a port that is configured to see ALL traffic on the core 
switch) and a copy of arpwatch running on a linux box on that port could 
be useful.  (Heck, it's useful to have a span port hooked to a linux box 
for all sorts of reasons... that and good ol' tcpdump will find enough 
things wrong to keep a network admin busy for a month in most networks 
-- but your hardware has to be able to keep up with it... both the 
switch itself on the backplane and the linux box network card... a lot 
of people use laptops for this, but some older PCMCIA cards and linux 
drivers won't really keep up with 100Mb/s.)

Nate Duehr, nate at natetech.com