[unisog] Network security police no hubs/switches/routers?

Kang Liu liukang at bjut.edu.cn
Tue May 24 00:51:18 GMT 2005


> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Clarke Morledge
> Sent: Tuesday, May 24, 2005 6:26 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Network security police no hubs/switches/routers?
> 
> I've had several instances this year where a cheap hub started to send
> packets received on the uplink interface back out the same uplink
> interface.   Unfortunately, the hub filtered out the Spanning Tree
> packets, so I effectively get a unicast/broadcast packet storm without the
> means of detecting the problem -- other than the thrashing L2 tables in
> our switches.  What a mess.
> 
In this situation, there might be a looped cable on the cheap hub. What kind
of switches do you use in your campus network? My university uses Cisco 2950
as access layer switches; it can detect this kind of problem, and put the
port into err-disable state, even when spanning-tree is not functional. The
unicast/broadcast storm can be filtered by applying storm-control threshold
policy.

Kang




More information about the unisog mailing list