10-25-2005 10:38 AM - edited 03-03-2019 12:33 AM
I just took a capture of one of our customer VLAN's. I was getting alot of "others" showing up in Protocol Distribution. I stopped the trace and examined it to find a tremendous amount of SNAP frames, from several different MAC addresses, all destined to 01000CCCCCCD. This i think is for STP, but I cannot figure out why I am having SNAP frames on the network...
Thank you
10-25-2005 12:37 PM
Hello,
the multicast address you mention, 01000CCCCCCD, is used by VTP advertisements, which uses a logical link control (LLC) of SNAP (AAAA), that is probably what you are seeing...
Regards,
GP
10-25-2005 06:02 PM
Thank you for your suggestion. I am not certain why any VTP announcements would be occuring on that VLAN;
I dont think there should be any VTP there at all.
The MAC addresses seem to fall into some kind of order; the dest. address for each frame is the multicast address...
Is there anything else besides VTP that could cause this?
10-27-2005 12:06 AM
Hi
I think the multicast 01000CCCCCD used for keepalive between switches ? . i think the multicast 01000ccccccc used for VTP Advertisement
pls suggest me if i'm wrong
Thank you
10-25-2005 12:53 PM
Cisco's implementation of Per-Vlan Spanning Tree protocol. If a non-Cisco switch received it, it would be discarded. If a Cisco switch received it, it would be processed. See if this article helps any:
http://www.cisco.com/warp/public/473/741_4.pdf
pw
10-25-2005 08:58 PM
Is it possible that you can capture some of these SNAP frames and post them? If so, their contents can be conclusively verified. If you do not have a protocol analyzer, one can be obtained here free:
Let us know what you find out.
pw
10-26-2005 07:20 AM
Yes I will capture the frames and post the trace once I am on the customer site again tomorrow (10/27). I have Sniffer Pro.
Thanks to all of you whom are assisting on this...
10-27-2005 06:17 AM
10-27-2005 08:00 AM
Ethereal tells me they are Spanning Tree BPDUs.
10-27-2005 11:01 AM
Ethereal tells me a little bit more. Take a peek at the LLC header, last field entry for the process ID (PID). The only surprise was how it got encoded by ethereal (not the way Cisco would display the acronym). Ethereal displays it as PVSTP+ and Cisco calls it PVST+
pw
10-29-2005 04:57 AM
Yes, you are correct. I do see where Ethereal identifies the frames that way.
What is really confusing to me is that on other VLAN's, I can run open filter or set a capture filter for BDPU, and Sniffer identifies the captured frames AS BDPU's.....
I am not sure why on this VLAN they are showing up that way. I am trying to track down the MAC address originations of the frames...
10-29-2005 07:26 AM
I might have an answer for you on that without really seeing the network. Are there any non-Cisco switches of any sort installed on this network? If so, do they have 802.1Q trunks enabled?
pw
10-30-2005 03:42 PM
No. This VLAN is comprised solely of Cisco Switches.
Sometimes Linksys Wireless Routers are plugged in, but that would be all I am aware of.
Certainly nothing on the backbone but Cisco...
10-30-2005 08:18 PM
Well, I can only conclude one of a couple of things.
1. THe BPDUs you captured on other parts of the network were also PVST+ frames but you may have missed that on inspection of the capture. or,
2. Somebody has disabled PVST+ and is running MISTP (mono instance spanning tree protocol) in anticipation of having/joining an 802.1Q topology.
By default, PVST+ is on by default for Catalyst 6000 switches. Maybe you could capture some of these other frames that are on other parts of the switched network that have a different destination address and no mention of PVST+ ? Also, if you can access the console of the CAT 6000, try this command:
show spantree X (where X is each VLAN)
The output should look something like this:
Console> (enable) show spantree 1
VLAN 1
Spanning tree mode PVST+
Spanning tree type ieee
.
Bridge ID MAC ADDR 00-d0-00-4c-18-00
Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Then try running this command:
show spantree mistp-instance active
See if you get any output like this:
Console> (enable) show spantree mistp-instance active
Instance 1
Spanning tree mode MISTP-PVST+
Spanning tree type ieee
Spanning tree instance enabled
Designated Root 00-d0-00-4c-18-00
Designated Root Priority 32769 (root priority: 32768, sys ID ext: 1)
Designated Root Cost 0
Designated Root Port none
VLANs mapped: 6
Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
Bridge ID MAC ADDR 00-d0-00-4c-18-00
Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)
VLANs mapped: 6
Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec
If so, maybe somebody inadvertently turned on MISTP?
pw
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: