01-13-2015 01:14 PM - edited 03-07-2019 10:12 PM
A couple of weeks back we experienced a packet storm on one of our vlans. At the time looked like a broadcast storm and we thought we had a bad device, so we swapped it out. Yesterday morning it occurred again on the same C3750x switch port with the new device. Now I'm thinking I have a bad switch port, but then we experienced the exact same situation on a different C3750 this morning.
On the first two events the volume of packets locked up wireshark to the point where I couldn't capture them, but this time I was able to. The packets always originate from 00:02:01:00:00:00. I cannot say that the dest address is the same in all of these events. Here is a dump of the frame:
No. Time Source Destination Protocol Length Info 1 0.000000000 IfmElect_00:00:00 00:00:00_00:00:b8 0x4000 90 Ethernet II Frame 1: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Jan 13, 2015 09:40:02.121472000 Pacific Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1421170802.121472000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 90 bytes (720 bits) Capture Length: 90 bytes (720 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:data] Ethernet II, Src: IfmElect_00:00:00 (00:02:01:00:00:00), Dst: 00:00:00_00:00:b8 (00:00:00:00:00:b8) Destination: 00:00:00_00:00:b8 (00:00:00:00:00:b8) Address: 00:00:00_00:00:b8 (00:00:00:00:00:b8) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IfmElect_00:00:00 (00:02:01:00:00:00) Address: IfmElect_00:00:00 (00:02:01:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: Unknown (0x4000) Data (76 bytes) 0000 00 01 33 33 00 00 00 16 a8 20 66 4a 18 03 86 dd ..33..... fJ.... 0010 60 00 00 00 00 24 00 01 fe 80 00 00 00 00 00 00 `....$.......... 0020 aa 20 66 ff fe 4a 18 03 ff 02 00 00 00 00 00 00 . f..J.......... 0030 00 00 00 00 00 00 00 16 3a 00 00 00 00 00 09 00 ........:....... 0040 00 5a 00 0e 00 00 00 00 00 00 00 00 .Z.......... Data: 0001333300000016a820664a180386dd6000000000240001... [Length: 76]
The packets are identical, including the data. Only the frame number changes. When this occurs the port is emitting over 900K of these packets per second.
Do these mac addresses mean anything to anyone and does anyone have an idea of what to do next? With three events I'm fairly certain we'll see it again if we don't figure out what's causing it.
01-13-2015 03:44 PM
Some information gained by searching on the mac address... Not sure if it will help.
01-13-2015 04:01 PM
Yes, I had researched that on the first event. I thought that was odd since an Apple Thunderbolt display was connected to the port. Even so, it did reoccur and I believe report same exact src mac address on another switch, another port. Aside from that Thunderbolt displays do use Apple registered mac addresses. The address itself looks suspect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide