[Kenneth Finnegan’s] post about this 24-Port HP ProCurve 2824 Ethernet Switch teardown was a delight to read. He’s taking an introduction to networking class at California Polytechnic State University. One of their labs included virtual machines shooting thousands of new MAC addresses at the thing all at once. Despite it’s ability to switch data at a blazing fast rate, it’s ability to deal with that many new hardware identifiers was less than impressive. He wanted to find out why and it just so happened he had one of these in his parts bin at home (which he refers to as if it’s a high-powered RPG character).
The mainboard is divided into three major blocks: the power supply, the switching hardware, and the processor that makes this a manged switch. Although he covers all of these pieces (and the switching stuff is very interesting to learn about) it is the processor section that was causing the aforementioned slowdown. It’s a 266MHz PowerPC chip with a measly 64 MB of RAM. Of course this doesn’t need to be any more powerful since all traffic from previously ‘learned’ MAC addresses gets handled by the switching block and never touches the processor portion.
Don’t miss the end of his post where he discusses how the filtering caps, and semi-isolated ground planes help to tame the beast created from all of this high-speed switching.
14 thoughts on “Cracking Open A 24-port Switch So You Don’t Have To”
Hell yeah, my alma mater! I graduated with a degree in EE though…
I’ve always wondered, if you are able to flood a switch’s MAC table, would it start broadcasting out all ports since it would overwrite the relevant MAC/Port mappings to save the newest (spam) entries due to the table being finite in size?
Yes. It is a directed attack against switches. Once their MAC switching table is full it then floods (the proper term) all frames that has a MAC it does not recognize out all ports except the originating one. This attack is useful to see the local network structure, along with all local traffic that would normally no be available for capture.
Different switches vary, but it usually drops MAC addresses after 2-10 minutes of disuse. This is why there is so much damn ARP traffic on your network when nobody is producing frames. I know not of any switches that overwrite old entries in the table when full.
Most managed switches like this will support some form of port security to help with these attacks.
You can set port security to only allow 1-2 MAC addresses per port. On a 24 port switch your worst case scenario for having to update your CAM tables would be 48 MAC addresses.
Nice article overall, but i wouldn’t say that the only cause is the CPU/bus speed. Even if that is a bottleneck, i tend to think that the “issue” could be just a result of software design. I mean, the firmware could just be updating the tables 100 or 50 times per second. This imho would make more sense than just rewriting them each time 1 single new mac address is detected and the overall performance would be perfectly reasonable as the switch is not intended to work with so many different macs.
A bad software can make an excellent piece of hardware slow as hell and the fastest you go the easier is to make a small mistake that adds some unintended latency.
So, I may be completely wrong but i think that this may just be by design.
My tests indicated that the switch has a 32 frame buffer for processing new MAC addresses, so it would capture the first 32 new MACs, then miss all the frames until eventually capturing another 32 consecutive frames.
A “manged switch”? Really?
Yes really. It is when you want to manage the flow of skin mites to only the users that are addressed on the network.
There is also a rare packet condition where your internetwork messages become overly saturated with bugs. It eventually infects the infrastructure equipment. I hear it is prevalent in MS Domain controllers and knockoff Chinese hardware. They are so brazen in this new mange switch attack that they openly sell them as such:
No doubt hoping ignorant people like yourself are not aware of the severe condition and think it was just a typo of the word ‘managed’.
That was a cool start but a completely horrible ending. No need for personal attacks here. No need for gramer nazzis either.
hearing that a 266 power pccpu and 64 mb of ram is under powered and poor makes me appreciate the ancient powerbook G3 233 in my basement :) I used to photoshop a lot in that machine.
we have a lot of processing luxury these days.
I’ve said it on your blog but I’ll repeat: Awesome post.
Almost looks like there’s an unpopulated backplane connector on that switch board such that the other 2 XAUI HiGig links could be connected to other switch boards.
I like that theory the most. That makes a lot of sense.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)