Jump to content

Switch detection

Sparda

By Sparda
in Security

 Share

Recommended Posts

Sparda Newbie

Sparda

Posted
Posted

Many managed switches are able to detect if another switch (managed or other wise) is connected to one of it's ports.

I'm curious if any one knows what technique these switches use to detect other switches but with out any additional computers connected.

Once two or more computers are connected to the switch it's obvious, but I'm talking about if the switch is connected to one or less computers.

At the (I think) transport layer, the managed switch could flip back and forth between uplink and non-uplink port at initial connection a few times. Since any modern switch will automatically correct this 'error', that would make that device suspect if the device at the other end corrected the managed switches 'mistake'.

The only protocol that switches care about is ARP, I wonder if switches some how act differently to computers in some way when when handling ARP broadcasts.

Link to comment
Share on other sites
Tenzer Newbie

Tenzer

Posted
Posted
Many managed switches are able to detect if another switch (managed or other wise) is connected to one of it's ports.

Do you have an example of this? I can't remember that I have seen such feature, at least not on an unmanaged switch, but I don't manage switches that often.

Managed switches do have certain switch protocols like spanning tree and network discovery protocols which are probably used for it.

The point about swapping the connector pairs in the port, and see how the other device acts on this probably doesn't work, since most never network interfaces also have this ability.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Switches have a port just for chaining them. No need for crossover cables(I think). Most likely, this is how they know, but I don't see how it makes a difference. The device looks in its arp cache for connected devices and routes packets accordingly. When it doens't have it in its list, it sends out a broadcast to all attached devices and they send back who they are, it then adds the device to its arp list, then when a request is made, it sends the packets to only the targeted endpoint. If you want to reach another switch, you just need to know its IP address to reach it and if its attached to the one switch, it adds it to irs arp list/cache and so on.

Link to comment
Share on other sites
Tenzer Newbie

Tenzer

Posted
Posted

That is wrong digip. A normal layer 2 switch (which I presume we are talking about, unless otherwise mentioned) doesn't have any ARP table, and doesn't send any packets at all on it's own.

ARP is used for having a relation between IP addresses and MAC addresses, and since layer 2 switches aren't aware of IP addresses, they don't use ARP. Instead they have a list of which port they last seen a certain MAC address at.

Normal unmanaged switches doesn't have an IP address, you have to get a layer 3 switch in order to have that.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
That is wrong digip. A normal layer 2 switch (which I presume we are talking about, unless otherwise mentioned) doesn't have any ARP table, and doesn't send any packets at all on it's own.

ARP is used for having a relation between IP addresses and MAC addresses, and since layer 2 switches aren't aware of IP addresses, they don't use ARP. Instead they have a list of which port they last seen a certain MAC address at.

Normal unmanaged switches doesn't have an IP address, you have to get a layer 3 switch in order to have that.

Well, you are right about where the arp cache was on the layers, but I was thinking more in terms of a router/switch, and not a bridge. Switch is just a name given to different devices such as a bridge, router, there are switches for multiple layers, often given names like Statefull firewall, etc.

A switch can theoretically operate at multiple layers of the OSI model at any given time. The OSI model is not a real physical thing, it is just a theorized model for manufacturers to build their devices on for modularity and interoperability and gives Network technicians a way to track down problems in step by step along the way.

Switches will have their own ARP cache but they will also keep track of which MAC address is connected to which port on the switch. This can be seen with the show mac-address-table commands on a Cisco IOS switch.
- http://www.petri.co.il/csc_arp_cache.htm

On a Cisco switch or router, the ARP cache table looks like this:

SWITCH#show ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.100.50 0 001e.c4fc.97ff ARPA Vlan1

- http://www.networkblueprints.com/troublesh...d-arp-cache-lan

If a switch is directly connected to another switch, it knows where the other switch is because of the device and mac conencted to its port, mapped from MAC address to the connecting port on the switch. If say the switch you need to talk to is 3 segments down the line, it isn't directly connected to its port, then he has to send out a broadcast to all parties connected to it, the second switch see the request, says not me, forwards off to next devices + segment, 3rd switch says hey, thats me, here is my info sends back the IP+mac address, switch 2 stores and forwards the info back to switch 1, switch one is happy to see the info, adds it to its tables. Switch 2 and 1 now know who/where switch 3 is by both MAC and IP address(An Arp table/cache).

Switches, even primarily Layer 2 switches, can be aware of Layer 3 multicast and increase efficiency by delivering the traffic of a multicast group only to ports where the attached device has signaled that it wants to listen to that group.

http://en.wikipedia.org/wiki/OSI_model

mac-arp.jpg

http://www.networkblueprints.com/troublesh...d-arp-cache-lan

Link to comment
Share on other sites
natural_orange Newbie

natural_orange

Posted
Posted

STP or "Spanning Tree Protocol" is commonly used to detect changes in network topology, if you WireShark a network that has this in place you should see a somewhat regular stream of messages about it.

http://en.wikipedia.org/wiki/Spanning_tree_protocol

Most modern switches have AUTO MDI/MDX (auto cross-over) which typically means that some other network hardware is there besides a computer.

http://en.wikipedia.org/wiki/Ethernet_cros...matic_crossover

I'm sure both of those would help it.

Link to comment
Share on other sites
zao Newbie

zao

Posted
Posted

just throwing in my 2 cents...

Yes, switches can use STP if it's enabled on them, and that only really needs to be the case if you have a network topology susceptible to routing loops. If you use vlans, the switch could also recognize that it's connected to another switch if you enable vlan trunking on one of the interfaces.

Now if we're talking cisco proprietary networks, then they'll be able to use Cisco Discovery Protocol to find directly connected cisco devices and information about them (type/version#/ip/etc).

There's more that can be said about the mac address table (which isn't arp), and looking to see if it multiple ip's show up as the same mac address (leading us to assume that those multiple devices are connected by another switch)...

...but now going back and reading boris's original question, if it's something like, "given a pretty barebones network topology with pretty much 2 switches connected to eachother, how do they determine if the <cross-over or straight-through cable> is right for their setup based on the pin connections?" from a couple minutes of looking, it seems that most modern nics use "auto sensing" or "Universal Cable Recognition". I haven't come across an article yet that describes exactly how it works, but my guess is that as soon as a packet goes across the wire for the first time, the NICs on the switches sense which pair of wires were used to transmit and auto-adjust themselves for the correct configuration to listen on those pins and transmit on the others.

This link mentions auto-sensing towards the bottom: Ethernet crossover cable

ok, n/m, i went back and read again and don't think that was what boris was talking about in the first post....

Link to comment
Share on other sites
  • 1 month later...
dlots Newbie

dlots

Posted
Posted

Generally at least on Cisco stuff it looks at how many mac addresses you have on that port.

If your looking for a way to get around this get any old router and hook that up. You'll be able to hook up a switch to that and since routers don't send any mac address other than their own it will look like just 1 computer. You may have issues with other people trying to get onto your computer though since you'll have a network that no router will point to. You'll be able to get out and onto other people's machines though easy enouph though.

As for the arp thing ARP is generally active and going out looking for MAC addresses. Switches don't need to do this they just watch all ports and record the MAC address of the traffic that comes out of said ports. (it doesn't watch the destination MAC though just the source)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...