Hello!
Today I am more lazy than paranoic and I will write a review about “complex” searching and isolating of the unwanted for me traffic. When I prepare the statistics for my previews post about problems is fast grown network, I found that I have a lot of broadcast traffic with Ethernet protocol type 0x8899. And this traffic is generated by some Cisco devices. We use Cisco switches only at some access level – several endpoints with one or two hosts (we use old devices that we have after the modernization of the network) and some small desktop 8 or 10 port switches. In this situation we don’t need any loop detection between different Cisco switches. And this 0x8899 packets are looks like loop detection mechanism of them. Consider that I decided to block this traffic.
But the small switches are not managed. This is not a big problem for Huawei switches user. Let’s look how to eliminate this traffic.
First of all we need to find the source of the traffic. I used for this Wireshark. This application is able to capture all the traffic that pass the network adapter of your computer. At the beginning of the investigation I used “broadcast” filter to capture the broadcast traffic.
After finding of the unwanted traffic with 0x8899 protocol, I change the capture filter to the “ether proto 0x8899” to simplify the searching of the source of the traffic flooding.
Now I have the MAC addresses of the flooders. But they probably may have a “good” traffic too. And that is why we will not block them completely. Actually we will block traffic by its protocol number – not MAC addresses. To do that we can use Layer 2 ACL of the Huawei switches.
ACL is Access Control List. This is a mechanism to change the traffic. There are many implementations of it. We will look at the traffic filtration of the packets with 0x8899 protocol. To do that we will use special type of the ACL with numbers from 4000 to 4999. By the number of the ACL switch is recognizing the type of the ACL. That is why the number of ACL is important. Here are my configuration example:
acl 4010 rule deny l2-protocol 0x8899 traffic classifier tc8899deny if-match acl 4010 quit traffic behavior tb8899deny deny quit traffic policy tp8899deny classifier tc8899deny behavior tb8899deny quit interface gigabitethernet 0/0/1 traffic-policy tp8899deny inbound quit
As you may see the ACL is used to find the traffic that match its rule. And at the end it is assigned to the interface. This interface with filter its traffic. Others will not do that. This is good for CPU usage optimization. But we need to find the interface where traffic policy (and ACL) will be assigned. To do that I start to searching the MAC addresses that I found with Wireshark at the switches mac-address tables. To do that faster I start to search at the center switch.
(1) - The MAC addresses of the flooding devices.
(2) - The protocol number.
(3) - The source mac address of the packet with numbers (we need it to search).
<VD-Optic-Switch>display mac-address | include 42bb ------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------- 009e-1e17-42bb 4/- GE0/0/6 dynamic ------------------------------------------------------------------------------- Total items displayed = 266 Now I know where to search next – at the switch that connected to the GE0/0/6 interface. It is simple to do with eSight. Repeat this search with next switch. <Freilinskiy-Dom 2>display mac-address | include 42bb ------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------- 009e-1e17-42bb 4/- GE0/0/10 sticky ------------------------------------------------------------------------------- Total items displayed = 171
Bingo! We found it at the GE0/0/10 interface. And that is mean that it is the place to assign the traffic policy. I take my template and change it a little to fast change the switch configuration. Here it is:
sys acl 4010 rule deny l2-protocol 0x8899 traffic classifier tc8899deny if-match acl 4010 quit traffic behavior tb8899deny deny quit traffic policy tp8899deny classifier tc8899deny behavior tb8899deny quit interface gigabitethernet 0/0/10 traffic-policy tp8899deny inbound quit quit save yes
This template will create all objects that we need and apply them to the interface. After that it will save the configuration of the switch.
This manipulation was repeated several times. And after that I have no annoying 0x8899 traffic in my excellent VLAN.
Once again. I have loop detection based on the Huawei switches. And I don’t need loop detection VLAN wide with “simple” switches. That is why I can block this traffic without problems.
