Nick Hilliard nick at foobar.org
Sun Apr 19 13:32:12 CDT 2009

On 19/04/2009 08:31, Mikael Abrahamsson wrote:
> Well, as long as it simply drops packets and doesn't shut the port or
> some other "fascist" enforcement. We've had AMSIX complain that our
> Cisco 12k with E5 linecard was spitting out a few tens of packets per
> day during two months with random source mac addresses. Started
> suddenly, stopped suddenly. It's ok for them to drop the packets, but
> not shut the port in a case like that.

Yes, and <sigh> it's not that simple.  There are known situations on 
certain switch platforms where if you use "violation restrict" on a port, 
and that port sees incoming mac addresses which belong to someone else on 
the exchange lan, the restrict command will wipe those mac addresses from 
the cam and the other person's equipment can lose connectivity.  So 
violation restrict can cause collateral damage, which is really rather nasty.

Also, Cisco GSR E5 cards aren't the only cards which inject junk from time 
to time.  Not irregularly, I see routers from another Well Known Router 
Vendor injecting ipv6 frames with no mac headers.  This bug appears to be 
tickled when the router's bgp engine gets a sudden spanking.  There are 
other situations where bogus macs appears, mostly related to either old or 
nasty hardware, but enough to make blanket use of shutdown-on-violation a 
problem too.

So I'll eat my words and admit that I actually do care when I see this sort 
of thing - because it causes problems, and is the sign of broken hardware, 
broken software or more often, bad network configuration, all of which are 
matters of concern, and which indicate a problem which needs attention. 
But however bogus packets are dealt with - whether restrict, shutdown or 
ignore, the most important thing is that they are never forwarded.


More information about the NANOG mailing list