Spanning-Tree packets stop switch traffic

From Noah.org
Jump to: navigation, search


We had a bad shipment of Lenovo ThinkPads (T430s) which would occasionally lock up and leave the NIC spewing endless Spanning-Tree control pause packets. These packets tell the switch to temporarily stop sending data. At first I suspected a DOS attack, but it would only happen when a laptop would lock up. The switch with the crashed laptop would cause the network to hang for everyone connected to the same switch.

Wireshark shows almost 60 packets per second like this:

source: 00:00:00_00:00:00
destination: Spanning-tree-(for-bridges)_01(01:80:C2:00:00:01)
protocol: MAC CTRL
length: 60
info: MAC PAUSE: pause_time: 65535 quanta

The full dump of one of these packets looked like this:

0180c200000100000000000088080001
ffff0000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

0180c2000001 01:80:C2:00:00:01 0180.C200.0001 01-80-C2-00-00-01

The MAC Control PAUSE frame is sent to multicast address 01:80:C2:00:00:01 to tell the receiver to wait before sending more frames. The MAC Control frame is defined in the MAC Control Sublayer by IEEE 802.3x. See Ethernet flow control.