Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. foundry
MLXe-16 forwards unicast traffic to wrong port
minotaur at crete
Jun 19, 2014, 8:32 AM
Post #1 of 5 (2096 views)
Permalink
Hi Community,

I have a MLXe-16 box with a lot of customers connected to.
Customers are connected to switched ports in VLAN 777. Also in the same
VLAN there is monitoring server. Today I accidentally noticed that
I'm receiving strange traffic on my monitoring server. I started tcpdump:

18:19:45.315620 00:25:9e:17:57:d4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 122: vlan 777, p 0, ethertype IPv4, 92.49.205.169.59870 > 178.216.123.174.45198: UDP, length 76
18:19:45.317229 90:e2:ba:1e:13:c8 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 66: vlan 777, p 0, ethertype IPv4, 194.8.144.83.34028 > 5.104.42.121.46683: UDP, length 20
18:19:45.317961 00:21:59:a9:6e:c4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 106: vlan 777, p 0, ethertype IPv4, 195.211.161.142.50403 > 5.104.57.203.63827: UDP, length 60

All four MAC addresses in this output belong to my customers, and all of them
are learned and present in MAC table:

telnet@lsr1-gdr.ki#show mac | i 0025.9e17.57d4|0022.56bb.0a7f|90e2.ba1e.13c8|0021.59a9.6ec4
0025.9e17.57d4 7/11 0 777
0021.59a9.6ec4 10/8 0 777
0022.56bb.0a7f 9/8 0 777
90e2.ba1e.13c8 3/7 0 777

Monitoring server connected to port 7/23, it has different MAC address, but it is
also receiving this traffic! That should not happen.

There is no any port mirroring configured at a moment.
IronWare version is 5.6.0bT177.

What's wrong with my router? Any ideas?
Thanks in advance!

--
MINO-RIPE
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: MLXe-16 forwards unicast traffic to wrong port [ In reply to ]
dwhite at olp
Jun 19, 2014, 9:54 AM
Post #2 of 5 (2017 views)
Permalink
On 06/19/14 18:32 +0300, Alexander Shikoff wrote:
>Hi Community,
>
>I have a MLXe-16 box with a lot of customers connected to.
>Customers are connected to switched ports in VLAN 777. Also in the same
>VLAN there is monitoring server. Today I accidentally noticed that
>I'm receiving strange traffic on my monitoring server. I started tcpdump:

When you say monitoring server, I assume that you are referring to an SNMP
management server, rather than a server connected to a monitor/mirror port.

>18:19:45.315620 00:25:9e:17:57:d4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 122: vlan 777, p 0, ethertype IPv4, 92.49.205.169.59870 > 178.216.123.174.45198: UDP, length 76
>18:19:45.317229 90:e2:ba:1e:13:c8 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 66: vlan 777, p 0, ethertype IPv4, 194.8.144.83.34028 > 5.104.42.121.46683: UDP, length 20
>18:19:45.317961 00:21:59:a9:6e:c4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 106: vlan 777, p 0, ethertype IPv4, 195.211.161.142.50403 > 5.104.57.203.63827: UDP, length 60
>
>All four MAC addresses in this output belong to my customers, and all of them
>are learned and present in MAC table:
>
>telnet@lsr1-gdr.ki#show mac | i 0025.9e17.57d4|0022.56bb.0a7f|90e2.ba1e.13c8|0021.59a9.6ec4
>0025.9e17.57d4 7/11 0 777
>0021.59a9.6ec4 10/8 0 777
>0022.56bb.0a7f 9/8 0 777
>90e2.ba1e.13c8 3/7 0 777
>
>Monitoring server connected to port 7/23, it has different MAC address, but it is
>also receiving this traffic! That should not happen.
>
>There is no any port mirroring configured at a moment.
>IronWare version is 5.6.0bT177.
>
>What's wrong with my router? Any ideas?
>Thanks in advance!

Perhaps nothing. If those mac addresses happened to age out while you
weren't looking, then your switch should flood that ethernet traffic to all
members of the VLAN. In that case, if your interface on the monitoring
server were in promiscuous mode, you would see those frames.

It may also be an indication of a MAC flooding attack, or a network loop,
or something innocuous. Check the size of your MAC table to start with.

--
Dan White
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: MLXe-16 forwards unicast traffic to wrong port [ In reply to ]
minotaur at crete
Jun 20, 2014, 4:54 AM
Post #3 of 5 (2012 views)
Permalink
On Thu, Jun 19, 2014 at 11:54:05AM -0500, Dan White wrote:
> On 06/19/14š18:32š+0300, Alexander Shikoff wrote:
> >Hi Community,
> >
> >I have a MLXe-16 box with a lot of customers connected to.
> >Customers are connected to switched ports in VLAN 777. Also in the same
> >VLAN there is monitoring server. Today I accidentally noticed that
> >I'm receiving strange traffic on my monitoring server. I started tcpdump:
>
> When you say monitoring server, I assume that you are referring to an SNMP
> management server, rather than a server connected to a monitor/mirror port.
Yes, it's just SNMP server. I wrote that there is no any
monitor/mirror port configured at a moment.

> Perhaps nothing. If those mac addresses happened to age out while you
> weren't looking, then your switch should flood that ethernet traffic to all
> members of the VLAN. In that case, if your interface on the monitoring
> server were in promiscuous mode, you would see those frames.
Traffic is coming to server continuously, thus it does not looks like
that MAC addresses age out.

> It may also be an indication of a MAC flooding attack, or a network loop,
> or something innocuous. Check the size of your MAC table to start with.
Nothing malicious.
The size of MAC table in VLAN 777 is constant.

--
MINO-RIPE
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: MLXe-16 forwards unicast traffic to wrong port [ In reply to ]
dwhite at olp
Jun 20, 2014, 6:20 AM
Post #4 of 5 (2016 views)
Permalink
On 06/20/14 14:54 +0300, Alexander Shikoff wrote:
>On Thu, Jun 19, 2014 at 11:54:05AM -0500, Dan White wrote:
>> It may also be an indication of a MAC flooding attack, or a network loop,
>> or something innocuous. Check the size of your MAC table to start with.
>Nothing malicious.
>The size of MAC table in VLAN 777 is constant.

Do you have 'mac-learn-disable' in your config? Do you perhaps have two
interfaces connected to your server bridging traffic?


--
Dan White
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: MLXe-16 forwards unicast traffic to wrong port [ In reply to ]
minotaur at crete
Jun 20, 2014, 6:23 AM
Post #5 of 5 (2016 views)
Permalink
On Fri, Jun 20, 2014 at 08:20:15AM -0500, Dan White wrote:
> On 06/20/14š14:54š+0300, Alexander Shikoff wrote:
> >On Thu, Jun 19, 2014 at 11:54:05AM -0500, Dan White wrote:
> >> It may also be an indication of a MAC flooding attack, or a network loop,
> >> or something innocuous. Check the size of your MAC table to start with.
> >Nothing malicious.
> >The size of MAC table in VLAN 777 is constant.
>
> Do you have 'mac-learn-disable' in your config?
No.

> Do you perhaps have two
> interfaces connected to your server bridging traffic?
No.

Server connected with one physical interface with some VLANs on it.
Nothing extraordinary.

--
MINO-RIPE
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal