Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Promiscuous Ports on 2824

SOLVED
Go to solution
Kevin Wigle
Occasional Contributor

Promiscuous Ports on 2824

Just recently, an SNMP monitoring application we use is showing "Promiscuous Mode Enabled" on every port of a particular 2824 switch.

There is another 2824 directly connected to this switch and it doesn't show "promiscuous".

Other 2824's in other parts of our network don't show "promiscuous". There is nothing evident in the configs to show port mirroring/monitoring etc. The configs are very small and easy to compare and I can't see why the switch is "different".

Can anyone suggest why this switch is indicating Promiscuous mode?

Kevin
4 REPLIES
Matt Hobbs
Honored Contributor

Re: Promiscuous Ports on 2824

Can you find out from the monitoring application exactly what it looks for to determine that a device is in "Promiscuous Mode Enabled"?

If you can't find out this information, then I'd factory reset the switch using the clear and reset button combination, and re-enter the configuration.

Although I don't know exactly what it could be, it's possible that some other SNMP application made some changes via SNMP that enabled this 'promiscuous mode' which would not be reflected in the running-config.

What you could do on the switch is run the following command and capture the output via TFTP:

'copy command-output "walkmib 1" tftp '

Run the same command on the other 2824, and then using ExamDiff compare the difference of the two files.

ExamDiff: http://www.prestosoft.com/edp_examdiff.asp

You should then be able to see all the differences between the two switches including changes that may have been made via SNMP.
Kevin Wigle
Occasional Contributor

Re: Promiscuous Ports on 2824

I have already posted a question to our SNMP Application forum with no reply yet.

This particular switch is in a server farm that is in the middle of a large NT to W2K3 migration so I'm not sure I will be allowed to do anything to it at the moment.

Other reading on the net suggests that a sniffing/analyzer application is running somewhere. It mentions that applications are able to turn on "promiscuous mode". This was generally on nics on servers but is this also possible for HP switches?

As far as I can tell there is no command in HP to turn this mode on. Are you suggesting that an SNMP command could enable this mode?

That would indicate somewhat of a security issue and it would be good to know how to prevent/control this. With all ports in promiscuous mode the switch is now essentially a hub.

I definitely want to try your suggestion (sounds like good investigative fun) but I am constrained by the migration at the moment. In the meanwhile can you (or anyone else out there) provide an example of an application or simple SNMP command that could put this switch in promiscuous mode?

I may be able to mock this up in our lab. If I can put a lab 2824 into promiscuous mode this would certainly be a good indication.

thanks for your incite!

Hopefully we can learn more from this.

Kevin
Matt Hobbs
Honored Contributor
Solution

Re: Promiscuous Ports on 2824

I just found this:

ifPromiscuousMode OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object has a value of false(2) if this interface only
accepts packets/frames that are addressed to this station.
This object has a value of true(1) when the station accepts
all packets/frames transmitted on the media. The value
true(1) is only legal on certain types of media. If legal,
setting this object to a value of true(1) may require the
interface to be reset before becoming effective.

The value of ifPromiscuousMode does not affect the reception
of broadcast and multicast packets/frames by the interface."


So on the switch, type in 'walkmib ifPromiscuousMode' and see what it returns. The physical ports should return 1 by default, the VLAN interfaces will return 2.
Kevin Wigle
Occasional Contributor

Re: Promiscuous Ports on 2824

Just got this from the application guys:

*****

Is the other 2824 switch being probed using SNMPv1? The application only checks the "ifPromiscuousMode" variable when probing a device with SNMPv2c or SNMPv3, so you will never see the promiscuous mode warning when probing with SNMPv1.

ifPromiscuousMode "has a value of true(1) when the station accepts all packets/frames transmitted on the media."

For the interfaces on a switch, this is the normal mode of operation. A switch needs to receive all packets on its interfaces so it can forward them if necessary. For interfaces on a server or router, an interface would only be in promiscuous mode if it was running packet sniffing software.

> Being in red must mean that the application wants me to be aware.

I have filed an ER to have this removed when the device is known to be switch. It's normal for a switch to have interfaces in promiscuous mode.

*****

So what's different between yours and theirs (I think) is that you say that "false" is the normal mode but they say "true" is the normal mode.

I think they got it backwards as after checking other switches (Cisco, etc) anything using the SNMP v2 probe has the same warning.

I would need someone else using an application that checks for this to say if it also finds this mode active on switches.

I would have to convince the application guys that they may have it wrong.

thanks again, I think we're closing in on it.

Kevin