On 19/04/2009 08:31, Mikael Abrahamsson wrote:
Well, as long as it simply drops packets and doesn't shut the port or some other "fascist" enforcement. We've had AMSIX complain that our Cisco 12k with E5 linecard was spitting out a few tens of packets per day during two months with random source mac addresses. Started suddenly, stopped suddenly. It's ok for them to drop the packets, but not shut the port in a case like that.
Yes, and <sigh> it's not that simple. There are known situations on certain switch platforms where if you use "violation restrict" on a port, and that port sees incoming mac addresses which belong to someone else on the exchange lan, the restrict command will wipe those mac addresses from the cam and the other person's equipment can lose connectivity. So violation restrict can cause collateral damage, which is really rather nasty. Also, Cisco GSR E5 cards aren't the only cards which inject junk from time to time. Not irregularly, I see routers from another Well Known Router Vendor injecting ipv6 frames with no mac headers. This bug appears to be tickled when the router's bgp engine gets a sudden spanking. There are other situations where bogus macs appears, mostly related to either old or nasty hardware, but enough to make blanket use of shutdown-on-violation a problem too. So I'll eat my words and admit that I actually do care when I see this sort of thing - because it causes problems, and is the sign of broken hardware, broken software or more often, bad network configuration, all of which are matters of concern, and which indicate a problem which needs attention. But however bogus packets are dealt with - whether restrict, shutdown or ignore, the most important thing is that they are never forwarded. Nick