cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1336
Views
5
Helpful
6
Replies

sh mac-address table output question

dgalati000
Level 1
Level 1

I'm trying to determine the port(s) my MAC addr are being learned/fwd'd on. The 'ports' column of my output shows 'Router' instead of a interface. Just looking to know what 'Router' indicates in the output...see below >>

nwhqkuun13-1#sh mac-address-table vlan 113 | i 0015.c701.afc0

* 113 0015.c701.afc0 static No - Router

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello David,

this should be the MAC address of SVI vlan 113 on the switch so it is not learned it is static and does not expire

you can check with

sh int vlan 113

look for the MAC address

So Router here means it is related to a L3 routed interface (the SVI)

Hope to help

Giuseppe

great, perfect. let me expand a bit-I'm designing a SPAN design to send dist layer traffic out a dest port on the dist layer 6509 to a 4270 IPS box. I plan on spanning a vlan (VSPAN) but there is a caveat in what traffic a VSPAN port will monitor/pickup. So I got confused.

Are you saying the VLAN SVI IS routed?

Here's the caveat from the doc >>

"VSPAN only monitors traffic that leaves or enters L2 ports in the VLAN

Caveat 1 - Routed traffic that enters a monitored VLAN is not captured if the SPAN session is configed with that VLAN as an ingress source, because traffic never appears as ingress traffic entering a L2 port in the vlan.

Caveat 2 - Traffic that is routed OUT of a monitored VLAN, which is configed as an egress source in the SPAN session, is not captured, because traffice never appears as egress traffice leaving a L2 port in that vlan.

Trying to be certain that ALL my VLAN traffic will get picked up/monitored by the source port in my SPAN session.

I can send a short visio if it helps.

Hello David,

I just mean that the table uses this keyword Router to say:

" this is an address of mine used on a logical L3 interface I didn't learn it from outside world and it never expires."

About your question: I think it is a quite common setup and you should be able to capture all real traffic entering LAN ports associated to the source vlan.

Hint: here in SPAN context source vlan means L2 broadcast domain not SVI.

These caveats just say that you need to see the usage of a source vlan equivalent to using as source the collection of all the L2 ports that are associated to the "source vlan".

This includes access ports as well as trunk ports ( I should check for the last ones)

Be prepared to see some duplicated frames for flows exchanged between hosts in the vlan.

Hope to help

Giuseppe

Thanks, helpful. Those caveats were concerning me. Since I'll be spanning the VLAN (and probably some additional individual ports) as the source and mirroring them to a dest port WITHOUT affecting the routed outputs to the core layer, I should be fine.

Where in Italy are you? I'm Italian American. I spent 1977 and 1978 sailing in and out of Italy on a US NAVY ship...I still think about all the GREAT things I did there. Were you near that earthquake ??

Hello David,

I was born in Southern Italy (Calabria) and I live near Turin.

The earthquake has hit near L'Aquila in Abruzzo. The epycentre is 100 km far from Rome.

For further info you can access for example

http://www.repubblica.it

http://www.corriere.it/english/

Best Regards

Giuseppe

wow...scary. take care..if you don't mind, I can email you outside of this thread: concerning the SPAN ports. I'm at United Airlines IT in Chicago Illinois. david.galati@united.com,,,,signing off for the night.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: