[f-nsp] MLXe-16 forwards unicast traffic to wrong port

[Alexander Shikoff]

On Thu, Jun 19, 2014 at 11:54:05AM -0500, Dan White wrote:
> On 06/19/14 18:32 +0300, Alexander Shikoff wrote:
> >Hi Community,
> >
> >I have a MLXe-16 box with a lot of customers connected to.
> >Customers are connected to switched ports in VLAN 777. Also in the same
> >VLAN there is monitoring server. Today I accidentally noticed that
> >I'm receiving strange traffic on my monitoring server. I started tcpdump:
> 
> When you say monitoring server, I assume that you are referring to an SNMP
> management server, rather than a server connected to a monitor/mirror port.
Yes, it's just SNMP server. I wrote that there is no any 
monitor/mirror port configured at a moment.
 
> Perhaps nothing. If those mac addresses happened to age out while you
> weren't looking, then your switch should flood that ethernet traffic to all
> members of the VLAN. In that case, if your interface on the monitoring
> server were in promiscuous mode, you would see those frames.
Traffic is coming to server continuously, thus it does not looks like
that MAC addresses age out.
 
> It may also be an indication of a MAC flooding attack, or a network loop,
> or something innocuous. Check the size of your MAC table to start with.
Nothing malicious.
The size of MAC table in VLAN 777 is constant.

-- 
MINO-RIPE