multiple MAC addresses on a switchport

Unanswered Question
Sep 1st, 2008

I have a pair of Checkpoint NGx R65

running in ClusterXL Active/Active

Unicast mode.

Eth0 of FW1 is connect to Catalyst switch SW1 6513 port 7/7 and Eth0 of FW2

is connected to Catalyst switch SW2 6513 port 7/8. There is an EtherChannel

trunk between these two switches.

When I connect to SW1 and run "show cam dynamic 7/7" I see this:

CAT6513-1> sh cam dynamic 7/7

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry $ = Dot1x Security Entry M = Mac-Auth-Bypass Entry

Destination Ports or

VLAN Dest MAC/Route Des [CoS] Age VCs / [Protocol Type]

---- ------------------ ----- ---------- ---------------------

199 00-15-17-79-12-c6 0 7/7 [ALL]

199 00-d0-fe-8e-40-03 0 7/7 [ALL]

199 00-00-00-00-fe-00 0 7/7 [ALL]

199 00-d0-fe-8e-64-03 0 7/7 [ALL]

Total Matching CAM Entries Displayed = 4

CAT6513>

00-15-17-79-12-c6 = Firewall #1 physical MAC address

00-d0-fe-8e-40-03 = Cisco MAC address (no idea where it comes from)

00-00-00-00-fe-00 = Firewall #1 ClusterXL MAC address

00-d0-fe-8e-64-03 = Cisco MAC address (no idea where it comes from)

can someone tell me where the other Cisco

MAC addresses come from? I could not

find those mac addresses anywhere on the

switchports on both switches.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 09/01/2008 - 23:07

Hello David,

I would look at the other Catalyst CAT6513-2 they send out some L2 multicast frames for CDP, VTP and so on. In sending these frames they use their own MAC addresses as source.

verify with a sh module if 00-d0-fe-8e-40-03 and 00-d0-fe-8e-64-03 are in the MAC address block of device CAT6513-2

Hope to help

Giuseppe

cisco24x7 Tue, 09/02/2008 - 03:11

Thank you guys. I will check. Andrew, yes, they are connected by fibre.

If I replace the Checkpoint NGx R65 firewalls

with Checkpoint NG with Application Intelligence

R55 firewalls, I will NOT see those MAC

addresses on the switchport. Why?

Giuseppe Larosa Tue, 09/02/2008 - 09:42

Hello David,

probably they have a different behaviour on L2 traffic.

If you can, try to use SPAN to capture the traffic and you will see what kind of frames have source MAC address the ones you see on switch.

What is strange is that the Astral should be in the middle so you should always see its frames !

Hope to help

Giuseppe

Actions

This Discussion