[c-nsp] Sniffing unicasts in a switched network?

[Sven Juergensen (KielNET)]

Hi list,

I got my understanding of switching and
microsegmentation fundamentally challenged
with this. Imagine having two switches
.1q'ed together, transporting two VLANs.

All access ports save the trunks are
untagged on VLAN x and tagged on VLAN y.
Both ends of the trunk links are tagged
for each VLAN as well.

Now, when promiscuously sniffing one of
the access-ports (no mirroring enabled,
broad- and multicasts filtered out)
every now and then I'm seeing TCP/UDP
unicasts from random machines of either
VLAN. Some of the machines frequently
talk to the same destination. Examples
are jetdirect and SNMP-traffic but also
SSH and FTP connections are in for
the ride. Also, those connections are
sniffed one way only, i.e. I'm getting
the src->dst but not the return frames.

No, I'm not arpspoofing or MITMing ;)

Isn't switching about dedicated channels
across the switchmatrix, forming full-
duplex paths for every frame from one
port to the other as long as the MAC-
Addresses are known to the CAM; broad-
casting only when there is no IP-MAC
pairing yet? How is it possible to
receive unicast frames destined for
other hosts?

My guess is, that there are flaky
implementations of the IP-/Ethernet-
software on either host or switch, but
since the sniffed packets are definite
unicasts, I'm at a loss.

How can this be?

Best regards,

sven03


-- 
Mit freundlichen Gruessen

i. A. Sven Juergensen

Fachbereich
Informationstechnologie

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 / 2219-053
Telefax : 0431 / 2219-005
E-Mail  : s.juergensen at kielnet.de
Internet: http://www.kielnet.de

AS# 25295
Key fingerprint:
65B6 90FC 010A 39CE DCA5  336D 9C45 3B7A B02D E132

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)