02-14-2017 06:39 AM - edited 03-08-2019 09:19 AM
Hi Team,
I have a scenario where I'd like to fill up the N7010 CAM table using Kali Linux. Kali is installed on my macbook air as a VM and i've bridged the interface to provide my VM access to the nic. When i use macof to generate tonnes of traffic from numerous src mac/dst mac, src ip/dst ip, i do not see anything in the mac address table on the N7010 (SUP2E). But i do see traffic entering the port when i take a look at the statistics. 4000pps at approx 5mbps. So i know traffic is coming in.
All i saw on the mac address table was my physical mac nic, and my VM nic. Nothing else from the packets/frames generated by my VM.
Is it that nxos is using conversational mac learning - is this by default, or is it off?
I tried to see if I could see the traffic being broadcast on other ports in the same vlan, but tcpdump showed nothing, just usual cdp/stp from the switch.
I did the very same test on a Cisco 3560, and i was able to fill up the CAM table.
Is there a difference in the way these devices/asics handle such frames?
Bilal
02-15-2017 02:58 AM
Managed to find out why.
Macof does not work on nxos with default configuration because the forwarding engine performs packet sanity checks (its form of IDS). The forwarding engine, (switch on chip) SoC sits on the F2 line card itself. This makes sense when we do no see any broadcast from other ports.
Here are ref links for future:
https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKDCT-3102.pdf
no hardware ip verify tcp tiny-frag
no hardware ipv6 verify tcp tiny-frag
no hardware ip verify length maximum-tcp
no hardware ip verify length maximum-tcpDiscover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide