Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2650 switch weird behaviour

SOLVED
Go to solution
Heyse Pieterjan
Occasional Visitor

HP 2650 switch weird behaviour

Since a week our switch is acting very weird. When I sniff the traffic on a port, I get all the network traffic. It seems like our sitch is working like a hub. Is there any option that can be wrong, or what can cause this kind of behaviour?
6 REPLIES
Jason Luckett
Frequent Advisor

Re: HP 2650 switch weird behaviour

Hi

Have mirrored the port you are trying to analyze in the correct group ?

Port mirroring on a 2650/2650-PWR for monitoring are in two groups, these are:

1-24 and 49
25-48 and 50

the port groupings are a representation of port to netswitch ASIC within this model of switch.

I hope this helps,

Jase

Jason Luckett
Frequent Advisor

Re: HP 2650 switch weird behaviour

Hi,

Have you checked that monitoring is enabled on the switch and the correct port/ports are set to be monitored.


If you do a "show monitor" command, to see what ports are being used and if monitoring is on.

Try removing and recreating the mirror again by using the following commands.

[no] mirror-port [< port-num >]
[no] interface ethernet < monitor-list > monitor

These are run from the Global and Interface context respectively, ensuring you choose the correct groups.

I hope this helps,

Jase
Heyse Pieterjan
Occasional Visitor

Re: HP 2650 switch weird behaviour

I'm not using port mirroring, that's why I'm so worried.

I reset the switch and the weird behaviour is over. Can a short-circuit cause this kind of behaviour?
Jason Luckett
Frequent Advisor
Solution

Re: HP 2650 switch weird behaviour

Hi,

I have never heard of short circuits within the switch backplane, but it might be worth mointoring the logs to see if any unusal entries happen.

Also I would recommend updating the software to the latest version if it is not up to date, this can be found at:

http://www.hp.com/rnd/software/j49008106.htm

regards,

Jase
Ali Hamidi
Occasional Visitor

Re: HP 2650 switch weird behaviour

At the risk of "crying wolf" this could be a result of some kind of ARP Spoofing/Poisoning, which can result in a switch acting as a hub and broadcasting all traffic to all ports.

There are quite a few apps out there that simplify this attack such as Cain & Abel, so you might want to run a packet capture to see if anything suspicious is going on.

You can find more info on on ARP (Cache) Poisoning here: http://en.wikipedia.org/wiki/ARP_spoofing

Ali
Matt Hobbs
Honored Contributor

Re: HP 2650 switch weird behaviour

If the mac-address table on the switch is full, then it will start flooding. This is unlikely unless a rogue user has intentionally attacked it. You can configure port-security to limit the amount of mac-addresses learned on a port.

Another reason this can occur is if spanning-tree is enabled and the topology changes keeps increasing.

Check 'show mac-address' and 'show span' status. If it happens again capture a 'show tech all' while it occurs.