Cracking Open A 24-port Switch So You Don’t Have To


[Kenneth Finnegan’s] post about this 24-Port HP ProCurve 2824 Ethernet Switch teardown was a delight to read. He’s taking an introduction to networking class at California Polytechnic State University. One of their labs included virtual machines shooting thousands of new MAC addresses at the thing all at once. Despite it’s ability to switch data at a blazing fast rate, it’s ability to deal with that many new hardware identifiers was less than impressive. He wanted to find out why and it just so happened he had one of these in his parts bin at home (which he refers to as if it’s a high-powered RPG character).

The mainboard is divided into three major blocks: the power supply, the switching hardware, and the processor that makes this a manged switch. Although he covers all of these pieces (and the switching stuff is very interesting to learn about) it is the processor section that was causing the aforementioned slowdown. It’s a 266MHz PowerPC chip with a measly 64 MB of RAM. Of course this doesn’t need to be any more powerful since all traffic from previously ‘learned’ MAC addresses gets handled by the switching block and never touches the processor portion.

Don’t miss the end of his post where he discusses how the filtering caps, and semi-isolated ground planes help to tame the beast created from all of this high-speed switching.

14 thoughts on “Cracking Open A 24-port Switch So You Don’t Have To

  1. I’ve always wondered, if you are able to flood a switch’s MAC table, would it start broadcasting out all ports since it would overwrite the relevant MAC/Port mappings to save the newest (spam) entries due to the table being finite in size?

    1. Yes. It is a directed attack against switches. Once their MAC switching table is full it then floods (the proper term) all frames that has a MAC it does not recognize out all ports except the originating one. This attack is useful to see the local network structure, along with all local traffic that would normally no be available for capture.

      Different switches vary, but it usually drops MAC addresses after 2-10 minutes of disuse. This is why there is so much damn ARP traffic on your network when nobody is producing frames. I know not of any switches that overwrite old entries in the table when full.

      1. Most managed switches like this will support some form of port security to help with these attacks.
        You can set port security to only allow 1-2 MAC addresses per port. On a 24 port switch your worst case scenario for having to update your CAM tables would be 48 MAC addresses.

  2. Nice article overall, but i wouldn’t say that the only cause is the CPU/bus speed. Even if that is a bottleneck, i tend to think that the “issue” could be just a result of software design. I mean, the firmware could just be updating the tables 100 or 50 times per second. This imho would make more sense than just rewriting them each time 1 single new mac address is detected and the overall performance would be perfectly reasonable as the switch is not intended to work with so many different macs.
    A bad software can make an excellent piece of hardware slow as hell and the fastest you go the easier is to make a small mistake that adds some unintended latency.
    So, I may be completely wrong but i think that this may just be by design.

    1. Yes really. It is when you want to manage the flow of skin mites to only the users that are addressed on the network.

      There is also a rare packet condition where your internetwork messages become overly saturated with bugs. It eventually infects the infrastructure equipment. I hear it is prevalent in MS Domain controllers and knockoff Chinese hardware. They are so brazen in this new mange switch attack that they openly sell them as such:

      No doubt hoping ignorant people like yourself are not aware of the severe condition and think it was just a typo of the word ‘managed’.

  3. hearing that a 266 power pccpu and 64 mb of ram is under powered and poor makes me appreciate the ancient powerbook G3 233 in my basement :) I used to photoshop a lot in that machine.

    we have a lot of processing luxury these days.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.