Hello,
I am just writing to inquire as to the purpose of Ethertype 0x0027. We are using MPLS, and were just planning a DDoS prevention strategy on our network and were losing connectivity to the MikroTik with a simulated DDoS attack.
Every time, even though were were prioritizing LDP, RSVP, OSPF, etc., we would lose connectivity to the far router with a DDoS attack. I was not sure what was going on, I knew there was obviously some traffic that we were not tagging as priority, so I placed a bridge on the egress interface and set up a bridge filter rule to log any traffic that was no-mark. There were mystery packets that had ethertype 0x0027. We created a rule to prioritize those packets (matching MAC protocol number 27) and suddenly we had stable connectivity.
However, I cannot find any documentation anywhere as to what Ethertype 0x0027 *is*. I would like to have some basic understanding as to why this traffic occurs and why this change has solved our problem. Any input would be appreciated.
MikroTik Ethertype 0x0027 purpose (MPLS)?
You do not have the required permissions to view the files attached to this post.
Re: MikroTik Ethertype 0x0027 purpose (MPLS)?
I see that the destination mac for these frames (01-80-C2-00-00-00) is a multicast address used by spanning-tree protocol - could these be STP? I read somewhere different ethertypes for STP so I am not completely convinced of this. I also saw one reference that might indicate ethertype 0x27 is somehow used for LLCP (Logical Link Control Protocol). If anybody could confirm the purpose of these packets, and why prioritizing them seems to solve my issues, it would be greatly appreciated.
Re: MikroTik Ethertype 0x0027 purpose (MPLS)?
You can try capturing these frames with the packet sniffer.
Then upload the file to this foum for investigation.
Then upload the file to this foum for investigation.
Re: MikroTik Ethertype 0x0027 purpose (MPLS)?
Seeing 0x0027 in the "EtherType" (bytes 12-13 in the frame) field means that it isn't an "Ethernet II" frame, but rather an 802.3 frame; and that isn't actually an "EtherType", but rather a length field (39 bytes, in this case).
To see exactly what sort of packet it is, you would need to look at the last two bytes of the "SNAP" field (bytes 20-21 in the frame). Those should correspond to the "EtherType".
In practice, it's almost always STP. Not many other common protocols actually use 802.3 framing.
--Eric
To see exactly what sort of packet it is, you would need to look at the last two bytes of the "SNAP" field (bytes 20-21 in the frame). Those should correspond to the "EtherType".
In practice, it's almost always STP. Not many other common protocols actually use 802.3 framing.
--Eric