Kelly_W
asked on
0x8104 and VRRP Protocols
Hello all,
Okay this is a bizarre one but I hope that someone can help me out.
My clients (physician offices) are all connected to a hospital via VLANs. Everything was working great until the hospital replaced their Cisco core router with a Nortel core router.
Now (and this happens on all VLANs) every second a VRRP packet is sent from the Nortel core router out, then within that 1 second of time anywhere from 3-8 packets are sent out that are the protocol 0x8104 that has the info of Ethernet II (on my ethereal sniffer).
The VRRP packet I can handle but these others are only 60 bytes long and they look like malformed packets. Why I say that is the source address is 00:1f:da:86:82:03 but the destination address is 01:1f:da:86:80:00. Did you see how the packet took the source address move all bits over one character then added a 00 at the end?
Doing some digging it looks like it is a malformed IPX packet, since 0x8104 is in between to etherytpes on this chart:
http://en.wikipedia.org/wiki/EtherType
Since they put the Nortel switch in place there has been random drop offs at all locations for no rhyme nor reason. If I disconnect the hospital VLAN then everything goes back to normal and is very clean.
Is this normal with Nortel switches or could one of the cards or parts of the router be bad?
I am really thinking that this is a malformed packet storm that is happening. Even though it is only 8 packets or so per second, can't this cause these issues that I am describing?
Thanks,
Kelly W.
Okay this is a bizarre one but I hope that someone can help me out.
My clients (physician offices) are all connected to a hospital via VLANs. Everything was working great until the hospital replaced their Cisco core router with a Nortel core router.
Now (and this happens on all VLANs) every second a VRRP packet is sent from the Nortel core router out, then within that 1 second of time anywhere from 3-8 packets are sent out that are the protocol 0x8104 that has the info of Ethernet II (on my ethereal sniffer).
The VRRP packet I can handle but these others are only 60 bytes long and they look like malformed packets. Why I say that is the source address is 00:1f:da:86:82:03 but the destination address is 01:1f:da:86:80:00. Did you see how the packet took the source address move all bits over one character then added a 00 at the end?
Doing some digging it looks like it is a malformed IPX packet, since 0x8104 is in between to etherytpes on this chart:
http://en.wikipedia.org/wiki/EtherType
Since they put the Nortel switch in place there has been random drop offs at all locations for no rhyme nor reason. If I disconnect the hospital VLAN then everything goes back to normal and is very clean.
Is this normal with Nortel switches or could one of the cards or parts of the router be bad?
I am really thinking that this is a malformed packet storm that is happening. Even though it is only 8 packets or so per second, can't this cause these issues that I am describing?
Thanks,
Kelly W.
ASKER
Hello,
The only protocols being used are ARP, IPv4, IGMP, BROWSER, LANMAN, NBNS, and SMB.
Again this is coming from the hospital core router and I am not privy to what they have internally going on there.
Thanks,
Kelly W.
The only protocols being used are ARP, IPv4, IGMP, BROWSER, LANMAN, NBNS, and SMB.
Again this is coming from the hospital core router and I am not privy to what they have internally going on there.
Thanks,
Kelly W.
Are there any spanning tree topology changes happening?
ASKER
Hello,
Not from my (the physician offices) side.
The different physician offices range from 72 computers with 5 switches at one site to 5 computers on one switch at another site. All are simple networks with layer 2 switches (these are in a remote place and some of the offices are barely able to make payroll, let alone trying to purchase high end switches).
ALL offices have the same type of packets coming across the network from the hospital.
I cannot talk for the hospital as one of their IT people said in an email:
"We did see the VRRP and SLPP packets that you indicated were making up 60 to 70% of your network traffic. We believe this is normal behavior when capturing network traffic from a switch port. The normal traffic of a broadcast nature will be seen in high quantities when a packet capture is performed on a switch port with a PC that is not busy on the network.
I believe that 6 to 8 packets per second broadcast traffic from the core switch is minimal traffic and is not the root cause of the network failures you have been seeing lately. There may be some other cause originating from our core switch which we would be happy to attempt to help find."
Not real happy about this since this is flooding the network and life is good only when I unplug the connection to the hospital from each network.
Thanks,
Kelly W.
Not from my (the physician offices) side.
The different physician offices range from 72 computers with 5 switches at one site to 5 computers on one switch at another site. All are simple networks with layer 2 switches (these are in a remote place and some of the offices are barely able to make payroll, let alone trying to purchase high end switches).
ALL offices have the same type of packets coming across the network from the hospital.
I cannot talk for the hospital as one of their IT people said in an email:
"We did see the VRRP and SLPP packets that you indicated were making up 60 to 70% of your network traffic. We believe this is normal behavior when capturing network traffic from a switch port. The normal traffic of a broadcast nature will be seen in high quantities when a packet capture is performed on a switch port with a PC that is not busy on the network.
I believe that 6 to 8 packets per second broadcast traffic from the core switch is minimal traffic and is not the root cause of the network failures you have been seeing lately. There may be some other cause originating from our core switch which we would be happy to attempt to help find."
Not real happy about this since this is flooding the network and life is good only when I unplug the connection to the hospital from each network.
Thanks,
Kelly W.
Nortel uses the old Synoptics/Bay networks discovery packets but I don't remember if 8104 is amongst them.
ASKER
Hello,
But is it normal to send out 8104 packets every second down VLANs?
Thanks,
Kelly W
But is it normal to send out 8104 packets every second down VLANs?
Thanks,
Kelly W
Yes. When the topology discovery function is enabled it will send packets out so other devices can see them. If it is the topology hellos it can be disabled.
ASKER
Hello,
I don't understand when Rick O Shay stated "If it is the topology hellos it can be disabled". Does this mean that there is a setting on the Nortel to change sending out these packets?
Thanks,
Kelly W
I don't understand when Rick O Shay stated "If it is the topology hellos it can be disabled". Does this mean that there is a setting on the Nortel to change sending out these packets?
Thanks,
Kelly W
Yes. What model switches are they?
ASKER
Hello,
I am told that it is the 8600 core router series.
Thanks,
Kelly W.
I am told that it is the 8600 core router series.
Thanks,
Kelly W.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
What ramifications will there be if they use this command to kill topology packets?
Thanks,
Kelly W.
What ramifications will there be if they use this command to kill topology packets?
Thanks,
Kelly W.
I don't think it will do anything other than stop sending the packets. It can be turned off in JDM as well.
ASKER
Hello,
What is JDM
Thanks,
Kelly W.
What is JDM
Thanks,
Kelly W.
ASKER
Hello,
Also why would you want to have these topology packets on?
Thanks,
Kelly W.
Also why would you want to have these topology packets on?
Thanks,
Kelly W.
JDM is Nortel's java device manager an SNMP tool used to manage their switches.
You would want the topoplogy poackets on for some network management applications from Nortel that use them to map the layout of your switches.
You would want the topoplogy poackets on for some network management applications from Nortel that use them to map the layout of your switches.
ASKER
Hello,
Can you turn it off with the statement but have it on in JDM?
If you do it that way will it stop sending the packets down the VLAN connections?
Thanks,
Kelly W.
Can you turn it off with the statement but have it on in JDM?
If you do it that way will it stop sending the packets down the VLAN connections?
Thanks,
Kelly W.
No it is the same setting just accessed 2 different ways.
ASKER
Hello,
I will give all of this information to the hospital and let them know it needs to be turned off.
Rick, will you answer more questions on this after I award points?
Thanks,
Kelly W.
I will give all of this information to the hospital and let them know it needs to be turned off.
Rick, will you answer more questions on this after I award points?
Thanks,
Kelly W.
Certainly.
ASKER
Exactly what I wanted to see. Thank you so very much.
The Nortel ERS 8600 uses 0x8104 for the SLPP loop detect feature.
It's basically a little test packet that gets sent out on every VLAN on which you enable the feature.
If the packet is received back on the same switch or on an SMLT peer, that indicates a loop and the port is disabled - protecting the core from the effect of the loop.
Regards.
It's basically a little test packet that gets sent out on every VLAN on which you enable the feature.
If the packet is received back on the same switch or on an SMLT peer, that indicates a loop and the port is disabled - protecting the core from the effect of the loop.
Regards.
These documents mention the ethertype in your question. Are you using any of the protocols mentioned.
http://www.google.co.uk/url?sa=t&source=web&ct=res&cd=2&ved=0CAkQFjAB&url=http%3A%2F%2Fwww.michaelfmcnamara.com%2Ffiles%2FNN48500-518_3.8_Switch_Cluster_SplitMlink_Trunk_SMLT_ERS_TCG.pdf&rct=j&q=0x8104+ethertype&ei=i2j8Su3SDMKrjAe15YCXBQ&usg=AFQjCNHzMLEj8R20nowocsDbgzb4xvZjYw
http://www.google.co.uk/url?sa=t&source=web&ct=res&cd=1&ved=0CAcQFjAA&url=http%3A%2F%2Fwww.michaelfmcnamara.com%2Ffiles%2F2008_09_24_LACP_802_3ad_and_VLACP_for_ES_and_ERS_TCG_J_Vant_Erve_NN48500502.pdf&rct=j&q=0x8104+ethertype&ei=i2j8Su3SDMKrjAe15YCXBQ&usg=AFQjCNE61s69HyeH4LxLX6fIhjC7iiCl6g