I concur with Rick, and add that you should be able to see from where the packet are sent with "show mac-address-table address ".

I was thinking this must be a rogue host, but the source mac address (00:18:74:1D:05:BC) of every packet is the 6500.

If I do a "sh arp | include 0018.741d.05bc" in the MSFC, it resolves to all 64 layer3 VLAN interfaces I have configured on the MSFC.

If I do a "sh cam 00-18-74-1d-05-bc" on the switch, it points to destination 15/1 (the MSFC), as shown in the snippet below.

VLAN Dest MAC/Route Des [CoS] Destination

---- ------------------ ----- -----------

2 00-18-74-1d-05-bc R# 15/1

5 00-18-74-1d-05-bc R# 15/1

6 00-18-74-1d-05-bc R# 15/1

7 00-18-74-1d-05-bc R# 15/1

BTW: VLAN ID 891 is valid; it is the layer3 link from the 6500 to the ABR.

Hi, nothing prevent a virus-driven PC to send packets with source mac of another host, in fact they may do so in the attempt of redirecting traffic from someone else to them.

Now I think the switch prevents the rogue mac to be CAM-addressed to anything else, unfortunately I'm not very good at the switch to tell you which command could help identify where's the zombie, but it should be possibly a security command.

Of course if we're wrong and turn out the switch is actually sourcing this traffic I will stand corrected and apologize for the confusion.

Paolo (and Dave)

I believe that there is a different and better explanation of the MAC address. In the original post there is this explanation of where the capture was done:

when I put a sniffer on the MAN to WAN interface,

If the 6500 is forwarding IP packets to the WAN/ABR it will have done a layer 2 header rewrite and the source MAC will be the switch/MSFC. To find the MAC of the real source it will be necessary to find which VLAN on the switch is receiving the packets from the host.

HTH

Rick

Amen.