Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
6
Replies

Finding invalid MAC-addresses on a Catalyst switch

Go to solution
tbandion
Level 1
Level 1

‎06-21-2005 04:38 AM - edited ‎03-02-2019 11:10 PM

Recently we experienced a major increase in discarded packets on the sc0 interface. The reason for that were a lot of "unknown protocol" errors on that interface.

When capturing the traffic we discovered that someone or something is sending Ethernet frames with the source MAC-address 06:07:08:09:0A:0B to the destination MAC-address 00:01:02:03:04:05. The Ethertype is "0C0D" which is not a valid type (http://www.iana.org/assignments/ethernet-numbers). This looks artificially constructed but we cannot determine the source port where the frames are coming from because the source MAC starting with "06" is not present in the CAM-table.

Our environment consists of about 40 switches and this could come from anywhere within the network.

Is there any possibility (apart from unplugging all devices that are connected to that VLAN) to determine which switchport the frames are coming from?

Kind regards,

Thomas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
skessler
Level 1
Level 1
In response to tbandion

‎06-21-2005 08:35 AM

Thomas, unless someone comes up with a better way, I see a very tedious process.

I would sequentially span each feed port that leads to/from another network device and look for the offending traffic.

If it's found on a port, follow the link.

If it's not found on a port, start internal to the switch.

My guess is that you will find a failing NIC.

Good luck,

Scott

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ankurbhasin
Level 9
Level 9

‎06-21-2005 04:50 AM

Hi Tbandion,

The best way could be to configure SPAN and capture the traffic from which source it is coming from.

I am sure this will be some bad nic generating the kind of packet.

Check this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_6_3/confg_gd/span.htm#25327

Regards,

Ankur

0 Helpful

Go to solution
tbandion
Level 1
Level 1
In response to ankurbhasin

‎06-21-2005 05:10 AM

Hi Ankur,

yes, but where?

it could be any port (in this VLAN) on the affected switch or also any port (in this VLAN) on any other of the 40 switches.

Regards,

Thomas

0 Helpful

Go to solution
ankurbhasin
Level 9
Level 9
In response to tbandion

‎06-21-2005 05:15 AM

Hi Tbandion,

You can apply the span session on your cat6000 only. The span session has the option for sc0 interface also. So capture the traffic for sc0 interface and see which ip address has this mac address.

HTH

Ankur

0 Helpful

Go to solution
tbandion
Level 1
Level 1
In response to ankurbhasin

‎06-21-2005 05:46 AM

Hi Ankur,

that is exactly the problem:

This is not IP-traffic. As described above the Ethernet protocol field shows "0C0D". This is an invalid Ethernet protocol.

Regards,

Thomas

0 Helpful

Go to solution
skessler
Level 1
Level 1
In response to tbandion

‎06-21-2005 08:35 AM

Thomas, unless someone comes up with a better way, I see a very tedious process.

I would sequentially span each feed port that leads to/from another network device and look for the offending traffic.

If it's found on a port, follow the link.

If it's not found on a port, start internal to the switch.

My guess is that you will find a failing NIC.

Good luck,

Scott

0 Helpful

Go to solution
tbandion
Level 1
Level 1
In response to skessler

‎06-21-2005 11:27 PM

Scott,

thank you, we have started a similar approach.

Regards,

Thomas

0 Helpful
Customers Also Viewed These Support Documents