04-03-2014 05:04 PM
I'm in a unique situation...I teach for a cyber course that includes exploitation. I have control of virtual machines and networks that utilize someone elses infrastructure between the classroom and server room. The layer 3 switches between the two rooms have recently been converted from Cisco to Brocade Fastiron switches. There are no ACL's on them, and they are pretty much in the default configuration, as it's an isolated network. I regularly use NMAP to perform ping sweeps and port scans, and since the changeover I've had some problems with the ping sweeps. For some reason, the Brocade switch is dropping some of the packets first time I run a ping sweep, resulting in missing hosts on the network. The second time I run a ping sweep, a few more hosts show up, and by the third or fourth ping sweep, usually all hosts are reported. NMAP utilizes and ICMP Echo Request and a TCP ACK to port 80 for it's ping sweeps. Any idea why the switch would periodically/randomly drop those packets? I don't have control of the Brocade switches in between my classroom and server room, so I'm helping another person troubleshoot, and they aren't real familiar with the ins and outs of the Brocade. Thanks.
04-03-2014 05:57 PM
I can think of no reason by deafult that it would be doing this. Also without access to the config it is harder still.
Suggest you get back to the person helping (who does have access to the device) to check for the below;
Look for "ip tcp burst-normal" in the config to see if TCP DDoS protection has been enabled.
Look for 'ip icmp burst-normal' in the config to see if Smurf attack protection has been enabled.
04-03-2014 06:10 PM
Thanks...I was thinking that as well. I'm at a loss, before the changeover from Cisco we had no issues. Does Brocade have any interoperability issues in a mixed network (Cisco/Brocade)? The switch in the lab is a Cisco, and I know their recommendation to fix issues is to always get rid of the competitor. Thanks.
04-03-2014 06:30 PM
No, mixed networks (Cisco/Brocade) is fine (so long as you are not using any Cisco perproity stuff). Might help to know what switch model it is and what version of code and we can check release note to see if there are any bugs that might be the cause.
I have used NMAP of Brocade kit before without any problems, is there anything else in the middle e.g. service provider network or is it a point to point link?
04-03-2014 08:22 PM
No, there's nothing in between....it's the entire network consists of two Brocade switches and a Cisco switch. Monitored the traffic leaving the first switch (in the classroom), all was good. Monitored the traffic going into the Cisco switch(in the server room), notice the dropped packets. Only thing between them is two runs of fiber and the last Brocade switch. I'm guessing that there is something going on in this switch, probably something misconfigured. If I don't resolve it tomorrow, I'll have more information on the device.
I've noticed some unique things with the way these switches behave when it comes to dealing with non-traditional traffic. Normally, most people don't like having malicious traffic on their network, so it would be a good thing. Unfortunately, I don't want any restrictions whatsoever as I'm in a closed test network. For instance, this particular switch has sent back "destination unreachable, host unreachable" for non existant hosts on networks two hops away....not sure why it answers for networks it doesn't own. Guess it's a little bit of an adjustment and learning curve.
04-04-2014 07:33 AM
I was able to take a look at the configuration of the switch for a moment, and didn't see an rate limiting/throttling enabled. When I looked at the interface statistics, I see no dropped packets, and a huge number of queued packets. Does queued packets mean that the packets were queued, then sent, or does it mean that they are sitting in queue? Thanks.
04-04-2014 07:54 AM
What command did you issue to see the queued packets? This should means packets that were not forwarded in hardware, but give me the command and I will check.
04-04-2014 08:47 AM
Strange, I do not see anything about queues in that command on my switch nor do I remember seeing that info from that command.
Fastiron(config)#show int e 1/1
GigabitEthernet1/1 is down, line protocol is down
Hardware is GigabitEthernet, address is 0012.f2cf.1200 (bia 0012.f2cf.1201
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Configured mdi mode AUTO, actual unknown
Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
BPDU guard is Disabled, ROOT protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0
Flow Control is config enabled, oper disabled, negotiation disabled
Mirror disabled, Monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
IPG MII 96 bits-time, IPG GMII 96 bits-time
IP MTU 1500 bytes, encapsulation ethernet
300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 multicasts, 0 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
0 packets output, 0 bytes, 0 underruns
Transmitted 0 broadcasts, 0 multicasts, 0 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
As for Folow control, is could but only if exceeding what the switch can do and as the switch is line rate that should not happen. You can disbale flow control via 'no flow control' on the interface level.