[f-nsp] MLXe-16 forwards unicast traffic to wrong port

Dan White dwhite at olp.net
Thu Jun 19 12:54:05 EDT 2014 

On 06/19/14 18:32 +0300, Alexander Shikoff wrote:
>Hi Community,
>
>I have a MLXe-16 box with a lot of customers connected to.
>Customers are connected to switched ports in VLAN 777. Also in the same
>VLAN there is monitoring server. Today I accidentally noticed that
>I'm receiving strange traffic on my monitoring server. I started tcpdump:

When you say monitoring server, I assume that you are referring to an SNMP
management server, rather than a server connected to a monitor/mirror port.

>18:19:45.315620 00:25:9e:17:57:d4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 122: vlan 777, p 0, ethertype IPv4, 92.49.205.169.59870 > 178.216.123.174.45198: UDP, length 76
>18:19:45.317229 90:e2:ba:1e:13:c8 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 66: vlan 777, p 0, ethertype IPv4, 194.8.144.83.34028 > 5.104.42.121.46683: UDP, length 20
>18:19:45.317961 00:21:59:a9:6e:c4 > 00:22:56:bb:0a:7f, ethertype 802.1Q (0x8100), length 106: vlan 777, p 0, ethertype IPv4, 195.211.161.142.50403 > 5.104.57.203.63827: UDP, length 60
>
>All four MAC addresses in this output belong to my customers, and all of them
>are learned and present in MAC table:
>
>telnet at lsr1-gdr.ki#show mac | i 0025.9e17.57d4|0022.56bb.0a7f|90e2.ba1e.13c8|0021.59a9.6ec4
>0025.9e17.57d4  7/11         0       777
>0021.59a9.6ec4  10/8         0       777
>0022.56bb.0a7f   9/8         0       777
>90e2.ba1e.13c8   3/7         0       777
>
>Monitoring server connected to port 7/23, it has different MAC address, but it is
>also receiving this traffic! That should not happen.
>
>There is no any port mirroring configured at a moment.
>IronWare version is 5.6.0bT177.
>
>What's wrong with my router? Any ideas?
>Thanks in advance!

Perhaps nothing. If those mac addresses happened to age out while you
weren't looking, then your switch should flood that ethernet traffic to all
members of the VLAN. In that case, if your interface on the monitoring
server were in promiscuous mode, you would see those frames.

It may also be an indication of a MAC flooding attack, or a network loop,
or something innocuous. Check the size of your MAC table to start with.

-- 
Dan White

More information about the foundry-nsp mailing list