12-13-2011 07:57 AM
I'm trying to get our datacenter hooked up to a Toronto Exchange network (Torix), but unfortunately a problem has come up that I have not been able to find a solution for.
Torix uses port security when allowing others to connect to them. Only MAC address of the L3 device that holds IP used for BGP peering is allowed in. I have specified which MAC address they should expect from us, but it seems that a MAC address from a device used for L2 transport is leaking into their network, which causes our port to be blocked.
I have attached a drawing of the connection.
FastIron Edge X424 is where the issue occurs. As you can see from the drawing there are 3 ports involved. Port 3 is what connects us to Torix. Port 1 connects us to a fiber provider. Port 2 connects this switch to edge device in out datacenter. Torix' equipment for some reason detects MAC address of port 1 one FastIron switch, when it should only see MAC of port two on BigIron. The only place where IPs are assigned are Cogent, Torix and BigIron.
I have disabled STP on all port involved and it made no difference. BigIron is set to route-only globally.
Does any one have suggestions how this can be fixed?
12-14-2011 08:27 AM
No, I don't have LLDP, FDP,CDP or the like enabled on port 1. Unfortunatly this switch is in a remote facility, I'm going to have to arrange for someone to go there to run wireshark and see what's happening. I know Cogent uses LLDP on their network, I wonder if this has something to do with it.
Here is a config for it:
12-19-2011 02:35 PM
I got a nice network engineer from ToRix to mirror port on their device and see what packets are coming in from port 3 on my device. And here is what he got:
22:22:02.456772 00:0c:db:69:ae:80 > 00:e0:52:00:00:00, ethertype Unknown (0x885a), length 151:
0x0000: 0101 0097 0180 0080 0000 0000 0000 0001 ................
0x0010: 86a0 020c 6b1a 0000 1388 0000 0000 0251 ....k..........Q
0x0020: adf3 020c 6b04 0000 0001 020c 6b1e 0000 ....k.......k...
0x0030: 6ac2 0040 fe78 0054 397c 0040 fe58 0000 j..@.x.T9|.@.X..
0x0040: 0000 0085 81e4 0243 8169 0000 0000 0000 .......C.i......
As you can see mac of the first port is sending traffic to 00:e0:52:00:00:00. A bit of searching on google and I found a thread where a guy is seeing the same type of traffic to the same MAC address. As if this MAC is some kind of a universal variable of some sort.
So at this point I'm trying to figure out what type of protocol 0x885a is and how to I block it on port 3.
I have attached pcap file from wireshark as well.
12-19-2011 03:34 PM
The only thing can find is protocol 0x885a is a Foundry (now Brocade) registered ethertype. Not what it does though. Sure you found much the same.
Looks like they use this MAC address of 00:e0:52:00:00:00 as a broadcast address - I can only suggest to contract the TAC and see if this can be turned off (and please post back here if they can tell you what it is used for).
01-13-2012 09:08 AM
See the cut and past below from the Fastiron configuration guide. By default port 1 and much of the management traffic will have the same mac address. This would cause one to mistakenly believe that traffic is leaking.
• FGS and FLS devices running software release 04.0.00 and later
• FGS-STK and FLS-STK devices running software release 05.0.00 and later
• FWS devices running software release 04.3.00 or later
By default, Brocade Layer 2 devices use the MAC address of the first port as the MAC address for Layer 2
management traffic. For example, when the Brocade device receives an ARP request for its management IP
address, it responds with the first port’s MAC address. This may cause problems in some configurations where the
Brocade device uses the same MAC address for management traffic as for switched traffic.
Starting with the software releases listed above, you can configure the Brocade device to use a different MAC
address for Layer 2 management traffic than for switched traffic. When you issue the use-local-managementmac,
the Brocade device changes a local bit in the first port’s MAC address and uses this MAC address for
management traffic. The second bit of the first port’s MAC address is changed to 2. For example, if the MAC
address is 00e0.5201.9900 after the feature is enabled, the switch uses 02e0.5201.9900 for management
functions. Switched traffic will continue to use the first port’s MAC address without the local bit setting.