Please excuse my ignorance, I am a nitwit (Nerd In Training With Information Technology). I am running wireshark on my PC and seeing ton's of traffic I think I should not be seeing. For example a Server has a mapi connection to another server. I thought the idea of a switch is that that traffic is only between those two hosts? The environment I setup has 4 Brocade FCX48's in a stack in the server farm and a seperate stack of 8 fcx48's for the user's. The stacks are trunked together using 8 gbit links between the stacks. I also have a transparent ips system intercepting all traffic between the stacks (in line) and noticed it things some mac spoofing happening. I figure that is because traffic from a mac comes from one link one time and then another link another time, i.e. port-1 then later from port-2.
Could the trunk between the switch stacks be causing the traffic to be sent "everywhere" and if so what is the fix?
asked 04 Apr '12, 16:07
It depends where you connected your PC. If it's a simple access port on the switch you should NOT see that traffic. If the port is a mirror/span port, you SHOULD see that traffic. Please check the configuration of the switch port your PC is connected to. If the switch port is a regular access port, please try another switch port. If it's the same there, I suggest a brocade expert should check the switch configuration. One possible cause could be the switch running in fail-open mode (basically a hub), which would degrade the overall performance of your network significantly. However that's just speculation. One cannot tell, based on the amount of information given.
Is this a vendor specific link (virtual chassis link / multi chassis link (MCT) / Inter chassis link (ICL)) or is it LACP (Link Aggregation)?
If the IPS is between those trunk ports, I assume it's LACP (as there is usally no way to tap into vendor specific links). If it's LACP it's perfectly normal to see the same (source) MAC address on both ports, depending on the hash method defined for LACP (round-robin, L3, L4). You would also see the same MAC address on another link, for a connection to a different endpoint!