Evening On Thu, 24 May 2001, Chris Wedgwood wrote:
On Thu, May 24, 2001 at 06:01:39PM +1200, James Tyson wrote:
From what I understand (and remember) from the conversation I had with Tangent at 1am this morning their broadcast storm control has been going mental trying to compensate for wierdness that they say is _coming_ from APE.
Storm? How many packets and what kind?
Sigh. Read back, Chris, there was an *enormous* packet storm last (Wednesday) night. From about 10pm to about midnight, when we finally got the Tangent port shutdown, every port was running hard at 35Mb+ output, except the Tangent port which was running at about 50Mb+ input, with about 75% of that being broadcasts. It rendered APE insensible, I couldn't even ping the switch from the route server, it was working so hard. I listed the packet trace of the broadcasts in an earlier message, I won't bother doing so again.
I was up there with a packet sniffer earlier today (so i could steal all your email) and i didn't see anything i could decribe as a packet storm, the number of broadcasts was low, about two or three per second, mostly arp and some spanning tree from a couple of sources.
That's because the Tangent port was still turned off when you were sniffing. When I did turn it on again this morning, the storming did start again, but eased after a period of time, I think because Tangent were making changes. Today, we've seen some particularly weird stuff happening, mainly to do with spanning tree and odd vlan stuff on other providers switches. At this stage, we seem to have lost L2 connectivity between Attica and Netgate (according to Peter Mott), but that has apparently been worked around with a static route through IHUG. I'm assuming, given the lack of any better evidence, that this is somehow related to the spanning tree packets coming out of Clear, although I think that once we get the Clear spanning tree packets stopped, somebody else will start up. So, that being the case, I've decided to get anal. My plan is to configure access to APE in much the same way as access is configured om WIX - block all MAC addresses that don't have an APE address associated with them, or a good justification for their existance. That means that packets from switches attached to APE will get dropped by the Citylink switch, which should stop most of the evil spanning tree plotting that the other switches seem to get up to. The downside is that moves adds and changes will all have to go through the Citylink NOC before they'll work. I hope that won't be too much of a hassle - yawl presumably don't change ethernet interfaces on your APE routers that regularly. So, here's my current filter plan. If you're responsible for an APE connection, please review the MAC addresses listed below, and make sure that any blocks I have planned for your connection won't cause a catastrophe. If a port you're responsible for isn't showing MAC's at the moment, it might be worthwhile letting me know what MAC address you plan to use when that port is in use. For the connections that only have one current MAC, I've already secured those ports - that's ports 3,5 and 11-16 - those users shouldn't notice any difference in switch operation. For the remainder, unless somebody presents really compelling reasons not to, I'll initiate these filters late this (Friday) morning - sorry for the short notice, but we really do still have significant problems on APE, and I'd like to get them sorted before I get sucked into the mire of ISOCNZ. Port 1 - Management VLAN (not on APE) Port 2 - Quest, currently shutdown - no MAC's Port 3 - Telecom (Global Gateway/Netgate) 00d0.06cd.c400 192.203.154.48 Allowed Port 4 - Ihug 0050.0fb7.e04a Block 0050.54d7.0320 192.203.154.36 Allow Port 5 - Mercury Primary 0090.2776.85d1 192.203.154.28 Allowed Port 6 - Clearnet, and Plain 00c0.ca18.0373 192.203.154.12 (Plain) Allow 00e0.52e9.c565 Block 00e0.52ea.fb65 Block 02e0.5209.ed01 Block Port 7 - Mercury (Backup?) - no MAC's Port 8 - Clear IP Express customers 0002.7d36.9005 Block 0010.79cc.9800 192.203.154.8 (Clix) Allow 0050.7302.f222 192.203.154.45 (Zivo) Allow 0090.27bd.cacb 192.203.154.30 (Clear ?) Allow Port 9 - Unused Port 10 - Telstra-Saturn 0030.80b2.b903 Block 00e0.1ee9.10d0 192.203.154.32 (TS) Allow Port 11 - Asiaonline 0003.6cea.cc54 192.203.154.44 Allowed Port 12 - Xtra 0010.14b6.4000 192.203.154.60 Allowed Port 13 - Route Server 1 0090.2770.dfe9 192.203.154.1 Allowed Port 14 - Actrix 02e0.3b0c.df04 192.203.154.16 Allowed Port 15 - Route Server 2 00c0.df25.f901 192.203.154.2 Allowed Port 16 - Walker Wireless 0001.638c.d838 192.203.154.49 Allowed Port 17 - Tangent - No MAC's Port 18 - MBone router - No MAC's Port 19-24 Unused Cheers Si --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog