I have a 6500 with WS-X6K-SUP2-2GE and MSFC2, IOS v12.1(27b)E3. I have numerous VLANs subnetted in the 10.20.0.0/16 range. The lowest numbered subnet is 10.20.2.0/24 (VLAN2). VLAN1 is shut down. The 6500 is connected to an ABR for WAN connectivity. All routing is OSPF. All my devices are in Area 2.
The problem is, when I put a sniffer on the MAN to WAN interface, I see continuous TCP traffic with a source of 10.20.1.0 and destination addresses that are in my allocated IP address range, but are not configured. The MAC address of 10.20.1.0 is my 6500, and seeing as how the destination addressess do not exist, are sent to the MAC address of the ABR. The capture also shows a TCP header length of 0 bytes (bogus, must be at least 20).
Attached is a single packet.
What's going on here? Any help is appreciated.
You note that the TCP header length is 0. I am not sure that I see that in what you have posted.
You say that the lowest numbered subnet is 22.214.171.124/24 but the source address of the packet is 10.20.1.0 which is lower and would seem to be invalid.
You comment on the source MAC address being your 6500 and the destination MAC being the ABR. If the capture was done on the link between the 6500 and the ABR that would be correct and appropriate.
Your post indicates that the destination address is an address that has not been assigned, so sending IP packets to that address would seem to be invalid. Also the capture shows that the destination port is 0 which would be invalid.
the capture indicates a VLAN ID of 891. Would that be the VLAN of the link between the 6500 and the ABR or would that perhaps be a clue to the VLAN from which this packet originated?
My interpretation is that some host in your network is generating invalid packets. Sometimes behavior like this is a sign that the host is infected with some virus.