nick at foobar.org
Sun Apr 19 13:32:12 CDT 2009
On 19/04/2009 08:31, Mikael Abrahamsson wrote:
> Well, as long as it simply drops packets and doesn't shut the port or
> some other "fascist" enforcement. We've had AMSIX complain that our
> Cisco 12k with E5 linecard was spitting out a few tens of packets per
> day during two months with random source mac addresses. Started
> suddenly, stopped suddenly. It's ok for them to drop the packets, but
> not shut the port in a case like that.
Yes, and <sigh> it's not that simple. There are known situations on
certain switch platforms where if you use "violation restrict" on a port,
and that port sees incoming mac addresses which belong to someone else on
the exchange lan, the restrict command will wipe those mac addresses from
the cam and the other person's equipment can lose connectivity. So
violation restrict can cause collateral damage, which is really rather nasty.
Also, Cisco GSR E5 cards aren't the only cards which inject junk from time
to time. Not irregularly, I see routers from another Well Known Router
Vendor injecting ipv6 frames with no mac headers. This bug appears to be
tickled when the router's bgp engine gets a sudden spanking. There are
other situations where bogus macs appears, mostly related to either old or
nasty hardware, but enough to make blanket use of shutdown-on-violation a
So I'll eat my words and admit that I actually do care when I see this sort
of thing - because it causes problems, and is the sign of broken hardware,
broken software or more often, bad network configuration, all of which are
matters of concern, and which indicate a problem which needs attention.
But however bogus packets are dealt with - whether restrict, shutdown or
ignore, the most important thing is that they are never forwarded.
More information about the NANOG