C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET

Unanswered Question
Aug 6th, 2007

I am having an issue with a flapping backbone link as detailed in the log below:

Aug 3 14:38:30: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 749 times)

Packet received with invalid source MAC address (45:42:55:47:3D:57) on port Gi4/

2 in vlan 14

Aug 5 17:06:23: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 477 times)

Packet received with invalid source MAC address (45:42:55:47:3D:57) on port Gi4/

2 in vlan 14

Aug 6 08:22:44: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 199 times)

Packet received with invalid source MAC address (45:42:55:47:3D:57) on port Gi4/

2 in vlan 14

Port Gi4/2 is a link to another switch and drops connectivity each time it flags an invalidsourceaddresspacket in the logs.

Device is a Cisco 4507 and the device that resides on port Gi4/2 is a Dell 3448p (I had no say in this project's design unfortunately).

Anyone have an idea of where to begin? I have some VoIP switches plugged up to the Dell switch and they are dropping with the switch so it is a bit urgent hehe. Any help is appreciated. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wochanda Mon, 08/06/2007 - 10:49

The reason we're choking on these frames is because they're being sourced from a multicast MAC address. The LSB of the first byte of the MAC address is the multicast flag. If you're looking at a hex MAC address, you know it is multicast if the 2nd number from the left is odd. In your case, the 2nd number in is 5, which indicates it is multicast.

Since the switch wont install multicast/broadcast MAC addresses in the CAM table, we throw this error. Since it tell us which port the invalid packets are coming from, it gives us a direction to troubleshoot.

If the Dell switch is a managed switch, i'd look at 2 things:

1. The event log to see if they run the same checks we do on ingress frames

2. If nothing is in the event logs, maybe it is programmed to learn these mac addresses. I'd look at the mac-address table of the Dell then to see which port we're learning it on.

If the switch is unmanaged, or the 2 steps above dont give away the position of the funky source, I would set up a SPAN session of 4/2 on the 4k and send it to a port connected to a sniffer. Once I was sniffing the traffic, I would start yanking cables on the Dell switch until these packets went away.

blakewebb Mon, 08/06/2007 - 12:31

Unfortunately I already tried sourcing that address to a port on the Dell switch and I haven't been able to see this MAC listed. Also, I have throttled logging up on the Dell to hopefully get some more insight but it does not appear that they run the same checks.

If possible, could you provide me the syntax for setting up the SPAN session? I'm browsing for it as well but no sense in wasting effort if you're able to get back to me before I figure it out. Thanks a ton for the help :)

wochanda Mon, 08/06/2007 - 16:47

monitor session 1 source interface g3/11 rx

monitor session 1 destination interface g3/4

That'll copy everything coming into 3/11 to 3/4

Actions

This Discussion