ICX 6610 leaky vlan

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
I've recently been having some issues with losing internet connectivity and I've been blaming my ISP. However, after additional investigation, I'm not entirely sure it's the ISP at fault. I have a few port based vlans on my switch. One vlan is specifically to allow monitoring traffic between my router and the ONT provided by my ISP. I performed a packet capture by mirroring the port the ONT connects to and I discovered DHCP requests from other vlans in my network which the ISP was responding to.

At that point, I decided to create a vlan with a single port and run a packet capture on that port. I discovered ARP broadcasts and UDP broadcasts in my single port vlan. The broadcasts were coming from vlans 2 and 3 primarily, but some were also coming from vlan 10 (vlan config below). The attached picture shows some of the packet capture displaying the broadcasts showing up in vlan 4. Does anyone know what I can do to prevent any packets crossing vlan boundaries?

Code: 
PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
 Untagged Ports: None
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 2, Name INTERNET, Priority level0, Spanning tree Off
 Untagged Ports: (U1/M1)  46  47  48
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 3, Name IP_CAMERAS, Priority level0, Spanning tree Off
 Untagged Ports: (U1/M1)  37  38  39  40  41  42  43  44
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 4, Name [None], Priority level0, Spanning tree Off
 Untagged Ports: (U1/M1)   3
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 10, Name [None], Priority level0, Spanning tree Off
 Untagged Ports: (U1/M1)   1   2   4   5   6   7   8   9  10  11  12  13
 Untagged Ports: (U1/M1)  14  15  16  17  18  19  20  21  22  23  24  25
 Untagged Ports: (U1/M1)  26  27  28  29  30  31  32  33  34  35  36  45

 Untagged Ports: (U1/M2)   1   2   3   4   5   6   7   8   9  10
 Untagged Ports: (U1/M3)   1   2   3   4   5   6   7   8
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled
 

Attachments

T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
All of the internet related stuff is on VLAN 2. The ONT plugs into port 47 and the router plugs into port 46. Port 48 is unused at the moment, but it's what I ususally use as a mirror port. Another port on my router connects to port 45 in VLAN 10 which is in the VLAN for most of my other equipment.
 
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
I have two virtual interfaces. I don't know how to check what a vlan's router interface is. Here is the configuration for the show ip interface command:
Code: 
Interface           IP-Address      OK?  Method    Status             Protocol   VRF
Ve 1                192.168.1.2     YES  manual    down               down       default-vrf
Ve 10               192.168.237.2   YES  manual    up                 up         default-vrf
Here is the show ip interface ve 1 command:
Code: 
Interface Ve 1
  members: none
  active: none
  port enabled
  port state: DOWN
  ip address: 192.168.1.2       subnet mask: 255.255.255.0
  Port belongs to VRF: default-vrf
  encapsulation: ETHERNET, mtu: 1500, metric: 1
  directed-broadcast-forwarding: disabled
  ICMP redirect: enabled
  proxy-arp: disabled
  ip arp-age:  10 minutes
  no delay in notification
  No Helper Addresses are configured.
  No inbound ip access-list is set
  No outgoing ip access-list is set
And here is the show ip interface ve 10 command:
Code: 
Interface Ve 10
  members: ethe 1/1/1 to 1/1/2 ethe 1/1/4 to 1/1/36 ethe 1/1/45 ethe 1/2/1 to 1/2/10 ethe 1/3/1 to 1/3/8
  active: ethe 1/1/1 ethe 1/1/5 ethe 1/1/12 to 1/1/14 ethe 1/1/20 ethe 1/1/22 to 1/1/23 ethe 1/1/45 ethe 1/2/3 ethe 1/2/6 ethe 1/3/1 to 1/3/2 ethe 1/3/4
  port enabled
  port state: UP
  ip address: 192.168.237.2     subnet mask: 255.255.255.0
  Port belongs to VRF: default-vrf
  encapsulation: ETHERNET, mtu: 1500, metric: 1
  directed-broadcast-forwarding: disabled
  ICMP redirect: enabled
  proxy-arp: disabled
  ip arp-age:  10 minutes
  no delay in notification
  No Helper Addresses are configured.
  No inbound ip access-list is set
  No outgoing ip access-list is set
If you know what I can do to display the routing interfaces, that would be great! If I type "show route-map", the response is "No route-maps are configured!" I don't recall ever setting up a routing interface for VLAN 2, but I'd be happy to know how to check it.
 
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
Thanks! Here are the results:
Code: 
Port       Link    State   Dupl Speed Trunk Tag Pvid Pri MAC             Name
1/1/1      Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/2      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/3      Up      Forward Full 1G    None  No  4    0   cc4e.2482.dcf6
1/1/4      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/5      Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/6      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/7      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/8      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/9      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/10     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/11     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/12     Up      Forward Half 10M   None  No  10   0   cc4e.2482.dcf4
1/1/13     Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/14     Up      Forward Full 100M  None  No  10   0   cc4e.2482.dcf4
1/1/15     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/16     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/17     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/18     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/19     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/20     Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/21     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/22     Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/23     Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/24     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/25     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/26     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/27     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/28     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/29     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/30     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/31     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/32     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/33     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/34     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/35     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/36     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/1/37     Up      Forward Full 100M  None  No  3    0   cc4e.2482.dd18
1/1/38     Down    None    None None  None  No  3    0   cc4e.2482.dd19
1/1/39     Down    None    None None  None  No  3    0   cc4e.2482.dd1a
1/1/40     Down    None    None None  None  No  3    0   cc4e.2482.dd1b
1/1/41     Down    None    None None  None  No  3    0   cc4e.2482.dd1c
1/1/42     Down    None    None None  None  No  3    0   cc4e.2482.dd1d
1/1/43     Down    None    None None  None  No  3    0   cc4e.2482.dd1e
1/1/44     Up      Forward Full 1G    None  No  3    0   cc4e.2482.dd1f
1/1/45     Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/1/46     Up      Forward Full 1G    None  No  2    0   cc4e.2482.dd21
1/1/47     Up      Forward Full 1G    None  No  2    0   cc4e.2482.dd22
1/1/48     Down    None    None None  None  No  2    0   cc4e.2482.dd23
1/2/1      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/2      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/3      Up      Forward Full 10G   None  No  10   0   cc4e.2482.dcf4
1/2/4      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/5      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/6      Up      Forward Full 40G   None  No  10   0   cc4e.2482.dcf4
1/2/7      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/8      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/9      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/2/10     Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/3/1      Up      Forward Full 1G    None  No  10   0   cc4e.2482.dcf4
1/3/2      Up      Forward Full 10G   None  No  10   0   cc4e.2482.dcf4
1/3/3      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/3/4      Up      Forward Full 10G   None  No  10   0   cc4e.2482.dcf4
1/3/5      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/3/6      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/3/7      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
1/3/8      Down    None    None None  None  No  10   0   cc4e.2482.dcf4
mgmt1      Down    None    None None  None  No  None 0   cc4e.2482.dcf4

Port       Link    State   Dupl Speed Trunk Tag Pvid Pri MAC             Name
ve1        Down    N/A     N/A  N/A   None  N/A N/A  N/A cc4e.2482.dcf4
ve10       Up      N/A     N/A  N/A   None  N/A N/A  N/A cc4e.2482.dcf4
 
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
So, strangely enough, after a switch reboot, the vlans are no longer leaking. I don't understand what the cause was in the first place, but at least everything seems to be appropriately isolated now.
 
fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,738
3,104
113
33
fohdeesha.com
TheCodeLife said:
So, strangely enough, after a switch reboot, the vlans are no longer leaking. I don't understand what the cause was in the first place, but at least everything seems to be appropriately isolated now.
Click to expand...
my guess is it had something to do with the mirror port and the way you configured it, and the VLANs were never leaking over live ports, just your mirror port. I've deployed these things everywhere and if they ever leaked traffic onto live (not mirror) ports like your pcap shows it would have set off alarm bells everywhere
 
You must log in or register to reply here.
Top Bottom