We help IT Professionals succeed at work.

0x8104 and VRRP Protocols

Kelly_W
Kelly_W asked
on
1,307 Views
Last Modified: 2012-05-08
Hello all,
Okay this is a bizarre one but I hope that someone can help me out.
My clients (physician offices) are all connected to a hospital via VLANs.  Everything was working great until the hospital replaced their Cisco core router with a Nortel core router.
Now (and this happens on all VLANs) every second a VRRP packet is sent from the Nortel core router out, then within that 1 second of time anywhere from 3-8 packets are sent out that are the protocol 0x8104 that has the info of Ethernet II (on my ethereal sniffer).
The VRRP packet I can handle but these others are only 60 bytes long and they look like malformed packets.  Why I say that is the source address is 00:1f:da:86:82:03 but the destination address is 01:1f:da:86:80:00.  Did you see how the packet took the source address move all bits over one character then added a 00 at the end?
Doing some digging it looks like it is a malformed IPX packet, since 0x8104 is in between to etherytpes on this chart:
http://en.wikipedia.org/wiki/EtherType
Since they put the Nortel switch in place there has been random drop offs at all locations for no rhyme nor reason.  If I disconnect the hospital VLAN then everything goes back to normal and is very clean.
Is this normal with Nortel switches or could one of the cards or parts of the router be bad?
I am really thinking that this is a malformed packet storm that is happening.  Even though it is only 8 packets or so per second, can't this cause these issues that I am describing?
Thanks,
Kelly W.
Comment
Watch Question

Author

Commented:
Hello,
The only protocols being used are ARP, IPv4, IGMP, BROWSER, LANMAN, NBNS, and SMB.
Again this is coming from the hospital core router and I am not privy to what they have internally going on there.
Thanks,
Kelly W.
Are there any spanning tree topology changes happening?

Author

Commented:
Hello,
Not from my (the physician offices) side.
The different physician offices range from 72 computers with 5 switches at one site to 5 computers on one switch at another site.  All are simple networks with layer 2 switches (these are in a remote place and some of the offices are barely able to make payroll, let alone trying to purchase high end switches).
ALL offices have the same type of packets coming across the network from the hospital.
I cannot talk for the hospital as one of their IT people said in an email:

"We did see the VRRP and SLPP packets that you indicated were making up 60 to 70% of your network traffic.  We believe this is normal behavior when capturing network traffic from a switch port.  The normal traffic of a broadcast nature will be seen in high quantities when a packet capture is performed on a switch port with a PC that is not busy on the network.  

I believe that 6 to 8 packets per second broadcast traffic from the core switch is minimal traffic and is not the root cause of the network failures you have been seeing lately.  There may be some other cause originating from our core switch which we would be happy to attempt to help find."

Not real happy about this since this is flooding the network and life is good only when I unplug the connection to the hospital from each network.

Thanks,
Kelly W.
Nortel uses the old Synoptics/Bay networks discovery packets but I don't remember if 8104 is amongst them.

Author

Commented:
Hello,
But is it normal to send out 8104 packets every second down VLANs?
Thanks,
Kelly W
Yes. When the topology discovery function is enabled it will send packets out so other devices can see them.  If it is the topology hellos it can be disabled.

Author

Commented:
Hello,
I don't understand when Rick O Shay stated "If it is the topology hellos it can be disabled".  Does this mean that there is a setting on the Nortel to change sending out these packets?
Thanks,
Kelly W
Yes. What model switches are they?

Author

Commented:
Hello,
I am told that it is the 8600 core router series.
Thanks,
Kelly W.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Hello,
What ramifications will there be if they use this command to kill topology packets?
Thanks,
Kelly W.
I don't think it will do anything other than stop sending the packets. It can be turned off in JDM as well.

Author

Commented:
Hello,
What is JDM
Thanks,
Kelly W.

Author

Commented:
Hello,
Also why would you want to have these topology packets on?
Thanks,
Kelly W.
JDM is Nortel's java device manager an SNMP tool used to manage their switches.
You would want the topoplogy poackets on for some network management applications from Nortel that use them to map the layout of your switches.

Author

Commented:
Hello,
Can you turn it off with the statement but have it on in JDM?
If you do it that way will it stop sending the packets down the VLAN connections?
Thanks,
Kelly W.
No it is the same setting just accessed 2 different ways.

Author

Commented:
Hello,
I will give all of this information to the hospital and let them know it needs to be turned off.
Rick, will you answer more questions on this after I award points?
Thanks,
Kelly W.
Certainly.

Author

Commented:
Exactly what I wanted to see.  Thank you so very much.
dodgechargerfanI.T. Security Officer

Commented:
The Nortel ERS 8600 uses 0x8104 for the SLPP loop detect feature.

It's basically a little test packet that gets sent out on every VLAN on which you enable the feature.
If the packet is received back on the same switch or on an SMLT peer, that indicates a loop and the port is disabled - protecting the core from the effect of the loop.

Regards.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.