[f-nsp] Suspicious broadcast packets

Jorik Jonker Jorik.Jonker at eu.equinix.com
Fri Apr 8 04:52:22 EDT 2011


Hi all,

A supplier reports that one of the XMR4000's we administer for a customer is violating port security. Further investigation shows that the switch seems to have developed a habit to send suspicious broadcast packets to this supplier to and from a strange mac address [1]. It is very odd, since source/destination contain "parts" of the chassis mac (001b.edb1.1600), with a little bit shift in it. 

Is this some protocol we should have turned off, or could it be that a part of the switch is loosing itself?

Best regards,

Jorik Jonker

[1]:

Ethernet II, Src: 16:00:08:06:00:01 (16:00:08:06:00:01), Dst:ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
    Destination: ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
        Address: ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Source: 16:00:08:06:00:01 (16:00:08:06:00:01)
        Address: 16:00:08:06:00:01 (16:00:08:06:00:01)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Type: IP (0x0800)
    Trailer: 040001001BEDB11600D9AA1384000000000000D9AA138400...
Internet Protocol
    Version: 0
    Header length: 24 bytes
    Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN:0x00)
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total length: 1 bytes (bogus, less than header length 24)


This email is from Equinix Europe Limited or one of its associated/subsidiary companies. This email, and any files transmitted with it, contains information which is confidential, may be legally privileged and is solely for the use of the intended recipient. If you have received this email in error, please notify the sender and delete this email immediately.  Equinix Europe Limited.  Registered Office: Quadrant House, 4 Thomas More Square, London E1W 1YW.  Registered in England and Wales, No. 6293383.




More information about the foundry-nsp mailing list