Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNAP frames on VLAN

I just took a capture of one of our customer VLAN's. I was getting alot of "others" showing up in Protocol Distribution. I stopped the trace and examined it to find a tremendous amount of SNAP frames, from several different MAC addresses, all destined to 01000CCCCCCD. This i think is for STP, but I cannot figure out why I am having SNAP frames on the network...

Thank you

13 REPLIES
VIP Purple

Re: SNAP frames on VLAN

Hello,

the multicast address you mention, 01000CCCCCCD, is used by VTP advertisements, which uses a logical link control (LLC) of SNAP (AAAA), that is probably what you are seeing...

Regards,

GP

New Member

Re: SNAP frames on VLAN

Thank you for your suggestion. I am not certain why any VTP announcements would be occuring on that VLAN;

I dont think there should be any VTP there at all.

The MAC addresses seem to fall into some kind of order; the dest. address for each frame is the multicast address...

Is there anything else besides VTP that could cause this?

New Member

Re: SNAP frames on VLAN

Hi

I think the multicast 01000CCCCCD used for keepalive between switches ? . i think the multicast 01000ccccccc used for VTP Advertisement

pls suggest me if i'm wrong

Thank you

New Member

Re: SNAP frames on VLAN

Cisco's implementation of Per-Vlan Spanning Tree protocol. If a non-Cisco switch received it, it would be discarded. If a Cisco switch received it, it would be processed. See if this article helps any:

http://www.cisco.com/warp/public/473/741_4.pdf

pw

New Member

Re: SNAP frames on VLAN

Is it possible that you can capture some of these SNAP frames and post them? If so, their contents can be conclusively verified. If you do not have a protocol analyzer, one can be obtained here free:

http://www.ethereal.com/

Let us know what you find out.

pw

New Member

Re: SNAP frames on VLAN

Yes I will capture the frames and post the trace once I am on the customer site again tomorrow (10/27). I have Sniffer Pro.

Thanks to all of you whom are assisting on this...

New Member

Re: SNAP frames on VLAN

I am now including the trace file that contains the SNAP frames that I am seeing on our Guest VLAN.

I look forward to the responses.....(theme from Jaws)

Kevin

New Member

Re: SNAP frames on VLAN

Ethereal tells me they are Spanning Tree BPDUs.

New Member

Re: SNAP frames on VLAN

Ethereal tells me a little bit more. Take a peek at the LLC header, last field entry for the process ID (PID). The only surprise was how it got encoded by ethereal (not the way Cisco would display the acronym). Ethereal displays it as PVSTP+ and Cisco calls it PVST+

pw

New Member

Re: SNAP frames on VLAN

Yes, you are correct. I do see where Ethereal identifies the frames that way.

What is really confusing to me is that on other VLAN's, I can run open filter or set a capture filter for BDPU, and Sniffer identifies the captured frames AS BDPU's.....

I am not sure why on this VLAN they are showing up that way. I am trying to track down the MAC address originations of the frames...

New Member

Re: SNAP frames on VLAN

I might have an answer for you on that without really seeing the network. Are there any non-Cisco switches of any sort installed on this network? If so, do they have 802.1Q trunks enabled?

pw

New Member

Re: SNAP frames on VLAN

No. This VLAN is comprised solely of Cisco Switches.

Sometimes Linksys Wireless Routers are plugged in, but that would be all I am aware of.

Certainly nothing on the backbone but Cisco...

New Member

Re: SNAP frames on VLAN

Well, I can only conclude one of a couple of things.

1. THe BPDUs you captured on other parts of the network were also PVST+ frames but you may have missed that on inspection of the capture. or,

2. Somebody has disabled PVST+ and is running MISTP (mono instance spanning tree protocol) in anticipation of having/joining an 802.1Q topology.

By default, PVST+ is on by default for Catalyst 6000 switches. Maybe you could capture some of these other frames that are on other parts of the switched network that have a different destination address and no mention of PVST+ ? Also, if you can access the console of the CAT 6000, try this command:

show spantree X (where X is each VLAN)

The output should look something like this:

Console> (enable) show spantree 1

VLAN 1

Spanning tree mode PVST+

Spanning tree type ieee

.

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)

Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Then try running this command:

show spantree mistp-instance active

See if you get any output like this:

Console> (enable) show spantree mistp-instance active

Instance 1

Spanning tree mode MISTP-PVST+

Spanning tree type ieee

Spanning tree instance enabled

Designated Root 00-d0-00-4c-18-00

Designated Root Priority 32769 (root priority: 32768, sys ID ext: 1)

Designated Root Cost 0

Designated Root Port none

VLANs mapped: 6

Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-4c-18-00

Bridge ID Priority 32769 (bridge priority: 32768, sys ID ext: 1)

VLANs mapped: 6

Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

If so, maybe somebody inadvertently turned on MISTP?

pw

725
Views
0
Helpful
13
Replies
CreatePlease to create content