Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
3
Helpful
4
Replies

show mac-address table error

acleri
Level 1
Level 1

‎11-14-2007 05:35 AM - edited ‎03-05-2019 07:25 PM

Hi,

we have a core switch 3750 on which are attached a Firewall and several access switches in trunk mode.

We have several VLAN, the L3 between the VLAN is done by the Firewall and in the same time he apply the security policy between them.

We have the following problem

Machine 0006.5bf7.e5b5 is directly attached to port Gi1/0/14 on the 3750

We run the following command:

3750# sh mac-address-table | include 0006.5bf7.e5b5

3 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

6 0006.5bf7.e5b5 DYNAMIC Gi1/0/14

18 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

9 0006.5bf7.e5b5 DYNAMIC Gi1/0/25

Why the same mac-address is shown also on the trunk interfaces that connect the other switches and why are they assigned to different VLANS?

Another example

On a 3548 connected in trunk to the 3750 core there's the client 0001.6cca.c5e6 that is directly connected to port fa0/33, if we run the command on the 3548 the result is correct:

sw3548#sh mac-address-table | include 0001.6cca.c5e6

0001.6cca.c5e6 Dynamic 18 FastEthernet0/33

If we run the command on the 3750

3750#sh mac-address-table | include 0001.6cca.c5e6

3 0001.6cca.c5e6 DYNAMIC Gi1/0/25

18 0001.6cca.c5e6 DYNAMIC Gi1/0/27

The entry on port gi/0/27 is correct because this is the trunk port to the 3548 but why the other entry?

Any idea?

Thank you.

acle

Labels:
0 Helpful
4 Replies 4

Kevin Dorrell
Level 10
Level 10

‎11-14-2007 06:09 AM

The first thing I would look at is the functionality of the firewall. Is it possible that it is routing between the VLANs without substituting its own MAC address - a sort of "transparent" mode? Have a look at the switch where the firewall is attached, and see if all these spurious entries converge there.

What sort of firewall is it?

The other thought is that if it isn't the firewall, then someone has taken a switch and used it to bridge the VLANs to each other. Again, the technique is to follow the spurious entries back to their source, and you will probably find they all converge on the offending element.

Kevin Dorrell

Luxembourg

0 Helpful

acleri
Level 1
Level 1
In response to Kevin Dorrell

‎11-14-2007 06:24 AM

Hi Kevin,

In effect the problem is on all the switches directly connected with the trunk ports to the firewall.

The firewall is a Clavister and the arp table does not contain multiple entry, all entry are in the correct VLAN.

Could you please explain me better what do you mean with "Is it possible that it is routing between the VLANs without substituting its own MAC address - a sort of "transparent" mode?"

Thank you.

acle

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to acleri

‎11-14-2007 06:30 AM

Acle, I don't know the Clavister firewall, but I'm speculating about how it behaves from the evidence of your MAC forwarding table.

I looks to me like the firewall is receiving a packet on VLAN 3, realising it has to forward it on VLAN 18, and forwards it transparently with its orginal MAC source address. (Most routers would substitute their own MAC address as source when they forward, so you would only see the router's MAC address in the forwarding table of the remote VLAN.)

The only way you will find out for sure is with a sniffer.

Kevin Dorrell

Luxembourg

acleri
Level 1
Level 1
In response to Kevin Dorrell

‎11-14-2007 06:33 AM

Kevin, OK clear. I'll check it with a sniffer.

I'll keep you updated.

Thank you for your precious help.

acle

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card