[CLUE-Tech] HP ethernet switch UDP broadcast storm
Nate Duehr
nate at natetech.com
Tue May 11 13:36:30 MDT 2004
Jim Ockers wrote:
>We thought about the possibility of a loop but we decided that couldn't
>be the problem because we have spanning tree turned off.
>
>
Definitely sounds like a loop. With spanning tree off, the switches
have no ability to fix the problem themselves. Spanning tree KILLS
loops, it doesn't CREATE them. The logic behind the decision made in
the above sentence is fundamentally flawed.
Too late now, but next time get a copy of the ARP table from the "core"
switch before resetting it. I bet you'll find it had a MAC entry to
another switch that had an ARP entry for that address pointing right
back at the core.
The "bogus packets" the PC was sending could have had their MAC address
mangled to specifically cause the problem.
(Perhaps the PC user was doing something silly like ARP hijacking to try
to sniff traffic or someone else was?) With spanning-tree turned off,
your network is vunerable to all sorts of silliness, including the issue
you mentioned.
It's EXTREMELY rare, but you could also just be darn unlucky and
actually have two machines with duplicate MAC addresses.
A span port (a port that is configured to see ALL traffic on the core
switch) and a copy of arpwatch running on a linux box on that port could
be useful. (Heck, it's useful to have a span port hooked to a linux box
for all sorts of reasons... that and good ol' tcpdump will find enough
things wrong to keep a network admin busy for a month in most networks
-- but your hardware has to be able to keep up with it... both the
switch itself on the backplane and the linux box network card... a lot
of people use laptops for this, but some older PCMCIA cards and linux
drivers won't really keep up with 100Mb/s.)
Nate Duehr, nate at natetech.com
More information about the clue-tech
mailing list