sh mac-address table output question

Unanswered Question
Apr 6th, 2009
User Badges:

I'm trying to determine the port(s) my MAC addr are being learned/fwd'd on. The 'ports' column of my output shows 'Router' instead of a interface. Just looking to know what 'Router' indicates in the output...see below >>



nwhqkuun13-1#sh mac-address-table vlan 113 | i 0015.c701.afc0

* 113 0015.c701.afc0 static No - Router





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 04/06/2009 - 12:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello David,

this should be the MAC address of SVI vlan 113 on the switch so it is not learned it is static and does not expire


you can check with

sh int vlan 113

look for the MAC address


So Router here means it is related to a L3 routed interface (the SVI)


Hope to help

Giuseppe


dgalati000 Mon, 04/06/2009 - 12:37
User Badges:

great, perfect. let me expand a bit-I'm designing a SPAN design to send dist layer traffic out a dest port on the dist layer 6509 to a 4270 IPS box. I plan on spanning a vlan (VSPAN) but there is a caveat in what traffic a VSPAN port will monitor/pickup. So I got confused.


Are you saying the VLAN SVI IS routed?


Here's the caveat from the doc >>

"VSPAN only monitors traffic that leaves or enters L2 ports in the VLAN

Caveat 1 - Routed traffic that enters a monitored VLAN is not captured if the SPAN session is configed with that VLAN as an ingress source, because traffic never appears as ingress traffic entering a L2 port in the vlan.

Caveat 2 - Traffic that is routed OUT of a monitored VLAN, which is configed as an egress source in the SPAN session, is not captured, because traffice never appears as egress traffice leaving a L2 port in that vlan.


Trying to be certain that ALL my VLAN traffic will get picked up/monitored by the source port in my SPAN session.


I can send a short visio if it helps.

Giuseppe Larosa Mon, 04/06/2009 - 12:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello David,

I just mean that the table uses this keyword Router to say:

" this is an address of mine used on a logical L3 interface I didn't learn it from outside world and it never expires."


About your question: I think it is a quite common setup and you should be able to capture all real traffic entering LAN ports associated to the source vlan.


Hint: here in SPAN context source vlan means L2 broadcast domain not SVI.


These caveats just say that you need to see the usage of a source vlan equivalent to using as source the collection of all the L2 ports that are associated to the "source vlan".

This includes access ports as well as trunk ports ( I should check for the last ones)

Be prepared to see some duplicated frames for flows exchanged between hosts in the vlan.


Hope to help

Giuseppe



dgalati000 Mon, 04/06/2009 - 13:06
User Badges:

Thanks, helpful. Those caveats were concerning me. Since I'll be spanning the VLAN (and probably some additional individual ports) as the source and mirroring them to a dest port WITHOUT affecting the routed outputs to the core layer, I should be fine.


Where in Italy are you? I'm Italian American. I spent 1977 and 1978 sailing in and out of Italy on a US NAVY ship...I still think about all the GREAT things I did there. Were you near that earthquake ??

Giuseppe Larosa Mon, 04/06/2009 - 13:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello David,

I was born in Southern Italy (Calabria) and I live near Turin.

The earthquake has hit near L'Aquila in Abruzzo. The epycentre is 100 km far from Rome.

For further info you can access for example


http://www.repubblica.it


http://www.corriere.it/english/




Best Regards

Giuseppe


Actions

This Discussion