stacking mac address talking on network

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
I am seeing a lot of traffic on our wireless network (Ruckus wlan) with Extreme Switches/Stacks. We are seeing a lot of traffic coming on our wired/wireless network with the source mac address being our mac addresses of our stacks.

The 'show stacking configuration' command shows the mac address in use, and we are seeing traffic with that MAC address to what appears to be everywhere. The ethertype is showing in Wireshark as 0x3800.



Depending on what my laptop is doing while I'm running wireshark, this type of traffic can be up to 25% of the packets captured.

I really want to know what this traffic is and why we're seeing it. This is all traffic that's hitting all of our devices on the network and I'm pretty sure it's not needed.
I've disabled EDP on the AP port that my laptop is connected to and I still see the traffic.

Any help would be greatly appreciated!

Thanks!
Photo of bw447

bw447

  • 966 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,486 Points 10k badge 2x thumb
That is definitely odd.

What version of EXOS are these switches running? Also, what models of switches are you seeing this on?

-Brandon
Photo of JeremyClarkson

JeremyClarkson

  • 1,030 Points 1k badge 2x thumb
What does it say in the protocol column of wireshark?

Thanks
Photo of bw447

bw447

  • 966 Points 500 badge 2x thumb
Thanks for the replies.
@Brandon
show version: ExtremeXOS version 15.5.2.9 v1552b9-patch1-5 by release-manager
This stack has 6 slots. The ToR is an x460 and the others are x440.

@Jeremy: It only shows the EthernetProto as the hex value 0x3800. There isn't anything higher up than that.

Again Thanks for the replies!
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,486 Points 10k badge 2x thumb
Did this capture come from the stack? If it did, we should expect the packet to come from a stack mac address (first octet is 0x02). Is this the mac of one of the switches in the stack?

-Brandon
Photo of bw447

bw447

  • 966 Points 500 badge 2x thumb
Hello Brandon,
This packet capture came from my laptop. I just ran wireshark and had it listen from the wireless card.



I ran the capture for 20 secs. I had no other apps open, but the captures shows 20% of the packets are these type (0x3800).
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,486 Points 10k badge 2x thumb
Is the destination address your PC's mac address? I'm curious if these are being sent to other devices as well.

Regardless, I'd suggest opening up a case with GTAC so that we can take a closer look into this behavior. 

-Brandon
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Bw447 what is that destination MAC?  can you do a MAC find or trace it to see what that destination address is?


-P
Photo of bw447

bw447

  • 966 Points 500 badge 2x thumb

Hi Paul,

The destination mac is the mac for my wifi card.

Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Blake  Hmm it isn't coming across as a broadcast packet from what it looks like from the small print on the capture.  are you mirroring the port or are you just connected to the port and this seeing this on the port?  The question is why is it sending it to your specific MAC?  I would be less curious if it was a multicast or broadcast packet.

I think there are two questions to answer 1) what the heck is 0x3800 Ethertype? and 2) why is it sending it as a unicast to your PC?  Is ti doing it for each stations.

let us do some checking.  Also is the PC set up as promiscuous mode?

P

Photo of Paul

Paul

  • 2,026 Points 2k badge 2x thumb
Hi all, i am very interest in this topic.

How can we stop that traffic from the Extreme Switch?

i experienced some thing like this before.
ICMPv6 multicast listener report flood the whole network. 

From Intel NIC PC.
https://communities.intel.com/thread/48051
http://blog.michaelfmcnamara.com/2014/12/how-icmpv6-multicast-listener-reports-almost-spoiled-christ...

Thanks.
Photo of bw447

bw447

  • 966 Points 500 badge 2x thumb
Hello Paul,

Those are interesting articles. We are still investigating the problem. I'm more interested in upgrading to 15.7 and see if that takes care of the problem. I also want 15.7 because we can use python to create scripts and processes.
Photo of Paul

Paul

  • 2,026 Points 2k badge 2x thumb
Please keep it post. thanks.