06-21-2005 04:38 AM - edited 03-02-2019 11:10 PM
Recently we experienced a major increase in discarded packets on the sc0 interface. The reason for that were a lot of "unknown protocol" errors on that interface.
When capturing the traffic we discovered that someone or something is sending Ethernet frames with the source MAC-address 06:07:08:09:0A:0B to the destination MAC-address 00:01:02:03:04:05. The Ethertype is "0C0D" which is not a valid type (http://www.iana.org/assignments/ethernet-numbers). This looks artificially constructed but we cannot determine the source port where the frames are coming from because the source MAC starting with "06" is not present in the CAM-table.
Our environment consists of about 40 switches and this could come from anywhere within the network.
Is there any possibility (apart from unplugging all devices that are connected to that VLAN) to determine which switchport the frames are coming from?
Kind regards,
Thomas
Solved! Go to Solution.
06-21-2005 08:35 AM
Thomas, unless someone comes up with a better way, I see a very tedious process.
I would sequentially span each feed port that leads to/from another network device and look for the offending traffic.
If it's found on a port, follow the link.
If it's not found on a port, start internal to the switch.
My guess is that you will find a failing NIC.
Good luck,
Scott
06-21-2005 04:50 AM
Hi Tbandion,
The best way could be to configure SPAN and capture the traffic from which source it is coming from.
I am sure this will be some bad nic generating the kind of packet.
Check this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_6_3/confg_gd/span.htm#25327
Regards,
Ankur
06-21-2005 05:10 AM
Hi Ankur,
yes, but where?
it could be any port (in this VLAN) on the affected switch or also any port (in this VLAN) on any other of the 40 switches.
Regards,
Thomas
06-21-2005 05:15 AM
Hi Tbandion,
You can apply the span session on your cat6000 only. The span session has the option for sc0 interface also. So capture the traffic for sc0 interface and see which ip address has this mac address.
HTH
Ankur
06-21-2005 05:46 AM
Hi Ankur,
that is exactly the problem:
This is not IP-traffic. As described above the Ethernet protocol field shows "0C0D". This is an invalid Ethernet protocol.
Regards,
Thomas
06-21-2005 08:35 AM
Thomas, unless someone comes up with a better way, I see a very tedious process.
I would sequentially span each feed port that leads to/from another network device and look for the offending traffic.
If it's found on a port, follow the link.
If it's not found on a port, start internal to the switch.
My guess is that you will find a failing NIC.
Good luck,
Scott
06-21-2005 11:27 PM
Scott,
thank you, we have started a similar approach.
Regards,
Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide