Thank you for your suggestion. I am not certain why any VTP announcements would be occuring on that VLAN;

I dont think there should be any VTP there at all.

The MAC addresses seem to fall into some kind of order; the dest. address for each frame is the multicast address...

Is there anything else besides VTP that could cause this?

Hi

I think the multicast 01000CCCCCD used for keepalive between switches ? . i think the multicast 01000ccccccc used for VTP Advertisement

pls suggest me if i'm wrong

Thank you

Is it possible that you can capture some of these SNAP frames and post them? If so, their contents can be conclusively verified. If you do not have a protocol analyzer, one can be obtained here free:

http://www.ethereal.com/

Let us know what you find out.

pw

Yes I will capture the frames and post the trace once I am on the customer site again tomorrow (10/27). I have Sniffer Pro.

Thanks to all of you whom are assisting on this...

I am now including the trace file that contains the SNAP frames that I am seeing on our Guest VLAN.

I look forward to the responses.....(theme from Jaws)

Kevin

Ethereal tells me they are Spanning Tree BPDUs.

Ethereal tells me a little bit more. Take a peek at the LLC header, last field entry for the process ID (PID). The only surprise was how it got encoded by ethereal (not the way Cisco would display the acronym). Ethereal displays it as PVSTP+ and Cisco calls it PVST+

pw

Yes, you are correct. I do see where Ethereal identifies the frames that way.

What is really confusing to me is that on other VLAN's, I can run open filter or set a capture filter for BDPU, and Sniffer identifies the captured frames AS BDPU's.....

I am not sure why on this VLAN they are showing up that way. I am trying to track down the MAC address originations of the frames...

I might have an answer for you on that without really seeing the network. Are there any non-Cisco switches of any sort installed on this network? If so, do they have 802.1Q trunks enabled?

pw

No. This VLAN is comprised solely of Cisco Switches.

Sometimes Linksys Wireless Routers are plugged in, but that would be all I am aware of.

Certainly nothing on the backbone but Cisco...

Well, I can only conclude one of a couple of things.

1. THe BPDUs you captured on other parts of the network were also PVST+ frames but you may have missed that on inspection of the capture. or,

2. Somebody has disabled PVST+ and is running MISTP (mono instance spanning tree protocol) in anticipation of having/joining an 802.1Q topology.

By default, PVST+ is on by default for Catalyst 6000 switches. Maybe you could capture some of these other frames that are on other parts of the switched network that have a different destination address and no mention of PVST+ ? Also, if you can access the console of the CAT 6000, try this command:

show spantree X (where X is each VLAN)

The output should look something like this:

Console> (enable) show spantree 1

VLAN 1

Spanning tree mode PVST+

Spanning tree type ieee

.

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)

Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Then try running this command:

show spantree mistp-instance active

See if you get any output like this:

Console> (enable) show spantree mistp-instance active

Instance 1

Spanning tree mode MISTP-PVST+

Spanning tree type ieee

Spanning tree instance enabled

Designated Root 00-d0-00-4c-18-00

Designated Root Priority 32769 (root priority: 32768, sys ID ext: 1)

Designated Root Cost 0

Designated Root Port none

VLANs mapped: 6

Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)

VLANs mapped: 6

Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

If so, maybe somebody inadvertently turned on MISTP?

pw