show mac-address table error

Unanswered Question
Nov 14th, 2007


we have a core switch 3750 on which are attached a Firewall and several access switches in trunk mode.

We have several VLAN, the L3 between the VLAN is done by the Firewall and in the same time he apply the security policy between them.

We have the following problem

Machine 0006.5bf7.e5b5 is directly attached to port Gi1/0/14 on the 3750

We run the following command:

3750# sh mac-address-table | include 0006.5bf7.e5b5

3 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

6 0006.5bf7.e5b5 DYNAMIC Gi1/0/14

18 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

9 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

Why the same mac-address is shown also on the trunk interfaces that connect the other switches and why are they assigned to different VLANS?

Another example

On a 3548 connected in trunk to the 3750 core there's the client 0001.6cca.c5e6 that is directly connected to port fa0/33, if we run the command on the 3548 the result is correct:

sw3548#sh mac-address-table | include 0001.6cca.c5e6

0001.6cca.c5e6 Dynamic 18 FastEthernet0/33

If we run the command on the 3750

3750#sh mac-address-table | include 0001.6cca.c5e6

3 0001.6cca.c5e6 DYNAMIC Gi1/0/25

18 0001.6cca.c5e6 DYNAMIC Gi1/0/27

The entry on port gi/0/27 is correct because this is the trunk port to the 3548 but why the other entry?

Any idea?

Thank you.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Kevin Dorrell Wed, 11/14/2007 - 06:09

The first thing I would look at is the functionality of the firewall. Is it possible that it is routing between the VLANs without substituting its own MAC address - a sort of "transparent" mode? Have a look at the switch where the firewall is attached, and see if all these spurious entries converge there.

What sort of firewall is it?

The other thought is that if it isn't the firewall, then someone has taken a switch and used it to bridge the VLANs to each other. Again, the technique is to follow the spurious entries back to their source, and you will probably find they all converge on the offending element.

Kevin Dorrell


acleri Wed, 11/14/2007 - 06:24

Hi Kevin,

In effect the problem is on all the switches directly connected with the trunk ports to the firewall.

The firewall is a Clavister and the arp table does not contain multiple entry, all entry are in the correct VLAN.

Could you please explain me better what do you mean with "Is it possible that it is routing between the VLANs without substituting its own MAC address - a sort of "transparent" mode?"

Thank you.


Kevin Dorrell Wed, 11/14/2007 - 06:30

Acle, I don't know the Clavister firewall, but I'm speculating about how it behaves from the evidence of your MAC forwarding table.

I looks to me like the firewall is receiving a packet on VLAN 3, realising it has to forward it on VLAN 18, and forwards it transparently with its orginal MAC source address. (Most routers would substitute their own MAC address as source when they forward, so you would only see the router's MAC address in the forwarding table of the remote VLAN.)

The only way you will find out for sure is with a sniffer.

Kevin Dorrell


acleri Wed, 11/14/2007 - 06:33

Kevin, OK clear. I'll check it with a sniffer.

I'll keep you updated.

Thank you for your precious help.



This Discussion