03-04-2014 09:54 AM - edited 03-07-2019 06:31 PM
I have seen very strange behavior. The following two commands show different outputs...
core2#sho mac address-table dynamic | in cc04
7 0009.0fbb.cc04 dynamic Yes 150 Po10
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
Po10 is etherchannel to core1. The MAC address is on the core2 and should never be learned on core1. Core1 doesn't learn this MAC address at all.
The commands are run at the same time. I repeated many times and it is the same... Any idea why?
Thanks!
Difan
03-04-2014 10:04 AM
Difan
Can you try -
sh mac-address-table dynamic address 0009.0fbb.cc04
Jon
03-04-2014 10:10 AM
core2#sh mac-address-table dynamic address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
Well we think that the device with the MAC rarely sends out traffic so the MAC times out all the time. However it should never point to core1... We enabled spanning-tree status logging on all the links with that vlan and we don't see any events happening...
Thanks Jon!
03-04-2014 10:13 AM
When it does point to core1 what does the mac address table on that switch show ?
What is the device and how is it connected ie. is it directly connected to core2 or is it on an access switch ?
If it is an access switch is that switch connected to both core switches ?
Jon
03-04-2014 10:23 AM
Yes there are access switches connected to both core1 and core2. However the STP and links are all stable. No logs are seen at all for any flapping or anything
When it happens, on core1 it doesn't have the MAC, with either command...
Thanks,
03-04-2014 10:37 AM
So the vlan the device is in, lets say vlan 10.
Your two core switches are not running VSS ?
If they are not running VSS then it sounds like you have a standard L2/3 design ie.
1) the two core switches are interconnected by a L2 etherchannel trunk
2) the access switch is connected to both cores with L2 links, either trunk links or access links depending on whether the access switch has multiple vlans on it.
3) one of those uplinks must be blocking for vlan 10
So if you do a "sh spanning-tree vlan 10" on the access switch which link is being blocked ie. the one to core1 or the one to core2 ?
Jon
03-04-2014 11:22 AM
Hi Jon,
Correct, I am not using VSS. However it is not standard set up. The vlan 7 is extended to many other switches. The root is actually not core1 or core2. It also passes some provider to different location as well. However like you said, all the correct ports are blocked. Please trust me on this.. If there is a loop, we will have much more serious problem... At least our CPU will hike and link will congested, right?
I know your concern that the same packet could be somehow loopped back through core1, which makes core2 to learn the MAC on the port-channel interface to core1. However when this happens, core1 doesn't learn the MAC anywhere and on core2 some command show the MAC but not the other command...
Also something interesting, even that MAC in the command will eventually disappear. Please note the aging time. The aging time configured on the vlan is 480 seconds. At last the MAC address is pointing to another interface like G1/1. That interface doesn't even have vlan 7 allowed on the trunk link.
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
core2#
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 285 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 290 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 300 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 305 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 315 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 320 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 320 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 330 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 335 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 340 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 375 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 405 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 425 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 465 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 480 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 480 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
core2#show mac address-table | in 0009.0fbb.cc04
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
core2#sh int g1/1 trunk
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/1 64,72,156,214-216,300,600
Port Vlans allowed and active in management domain
Gi1/1 64,72,156,214-216,300,600
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 64,72,156,214-216,300,600
Is it a bug?
Thanks!
03-04-2014 11:29 AM
I don't think you have a L2 loop because as you say you would probably have far more serious issues than this.
It's hard to say whether it is a bug without understanding -
1) the full topology including root switches etc.
2) what the device actually is and how is it connected ie. is it just one NIC, does it have multiple NICs, is the NIC trunking or not etc.
Is it strange if the access port the device is connected to is configured as an access port in vlan 7 that it is being seen via g1/1 which is not allowing vlan 7 on the trunk.
Difficult to say with the information provided so far.
Jon
03-04-2014 11:37 AM
Even we don't have a diagram lol We just took over support.
Regarding to that Gi1/1 thing, no matter how the MAC is learned, from a trunk port or access port, it is just a MAC on vlan 7 correct? However why on earth the switch thinks that the MAC is learned from this Gi1/1 which doesn't even permit vlan 7 on it? The device on the other end is a Cisco 3750 switch that is connected on this Gi1/1 and it doesn't even vlan 7 exist...
03-04-2014 11:43 AM
Regarding to that Gi1/1 thing, no matter how the MAC is learned, from a trunk port or access port, it is just a MAC on vlan 7 correct?
Correct but i was more concerned with the end device to be honest and how it was connected. For example if it had a sinle NIC and the switchport it was connected to was configured as an access port in vlan 7 then what you are seeing is strange.
Jon
03-04-2014 11:52 AM
I see. The device with the MAC is a big firewall chassis. It has many interfaces, like over 10. It is connected on a 20G etherchannel
interface Port-channel20
description F5140 Sw2 (Members F5,F6)
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 7
switchport mode trunk
switchport nonegotiate
logging event link-status
end
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
20 Po20(SU) LACP Te4/7(P) Te4/8(P)
03-04-2014 11:58 AM
Okay but only vlan 7 is allowed on that trunk link so if that is the only connection from the firewall to your switch infrastructure then all mac addresses associated with the firewall should be seen in vlan 7 only.
I'm not sure why it is a trunk if it is only allowing vlan 7 ie. why is it not just a port channel interface in vlan 7.
What does a "sh int trunk" show from the switch that the port channel is connected ?
Jon
03-04-2014 12:03 PM
Actually in my previous show commands, the MAC is learned in vlan 7 only. The MAC was never learned in other vlans
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 480 Gi1/1
Here is the show command you requested
core2#sh int po20 trunk
Port Mode Encapsulation Status Native vlan
Po20 on 802.1q trunking 1
Port Vlans allowed on trunk
Po20 7
Port Vlans allowed and active in management domain
Po20 7
Port Vlans in spanning tree forwarding state and not pruned
Po20 7
Thanks!
03-04-2014 12:22 PM
That is strange.
Clearly your outputs show gi1/1 not allowing vlan 7 but your mac address outputs show it being learnt on that port.
What does a "sh int trunk" show from the access switch on the port connecting to g1/1 on core 2 ?
Jon
03-04-2014 12:28 PM
I actually already provided it in my previous post but here it is again..
core2#sh int g1/1 trunk
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/1 64,72,156,214-216,300,600
Port Vlans allowed and active in management domain
Gi1/1 64,72,156,214-216,300,600
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 64,72,156,214-216,300,600
I will have to work on something else... Might not respond to your questions right away. Thank you very much for your help no matter how this turns out.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: