core2#sh mac-address-table dynamic address 0009.0fbb.cc04

Legend: * - primary entry

        age - seconds since last seen

        n/a - not available

  vlan   mac address     type    learn     age              ports

------+----------------+--------+-----+----------+--------------------------

No entries present.

Well we think that the device with the MAC rarely sends out traffic so the MAC times out all the time. However it should never point to core1... We enabled spanning-tree status logging on all the links with that vlan and we don't see any events happening...

Thanks Jon!

When it does point to core1 what does the mac address table on that switch show ?

What is the device and how is it connected ie. is it directly connected to core2 or is it on an access switch ?

If it is an access switch is that switch connected to both core switches ?

Jon

Yes there are access switches connected to both core1 and core2. However the STP and links are all stable. No logs are seen at all for any flapping or anything

When it happens, on core1 it doesn't have the MAC, with either command...

Thanks,

So the vlan the device is in, lets say vlan 10.

Your two core switches are not running VSS ?

If they are not running VSS then it sounds like you have a standard L2/3 design ie.

1) the two core switches are interconnected by a L2 etherchannel trunk

2) the access switch is connected to both cores with L2 links, either trunk links or access links depending on whether the access switch has multiple vlans on it.

3) one of those uplinks must be blocking for vlan 10

So if you do a "sh spanning-tree vlan 10" on the access switch which link is being blocked ie. the one to core1 or the one to core2 ?

Jon

Hi Jon,

Correct, I am not using VSS. However it is not standard set up. The vlan 7 is extended to many other switches. The root is actually not core1 or core2. It also passes some provider to different location as well. However like you said, all the correct ports are blocked. Please trust me on this.. If there is a loop, we will have much more serious problem... At least our CPU will hike and link will congested, right?

I know your concern that the same packet could be somehow loopped back through core1, which makes core2 to learn the MAC on the port-channel interface to core1. However when this happens, core1 doesn't learn the MAC anywhere and on core2 some command show the MAC but not the other command...

Also something interesting, even that MAC in the command will eventually disappear. Please note the aging time. The aging time configured on the vlan is 480 seconds. At last the MAC address is pointing to another interface like G1/1. That interface doesn't even have vlan 7 allowed on the trunk link.

core2#sho mac address-table address 0009.0fbb.cc04

Legend: * - primary entry

        age - seconds since last seen

        n/a - not available

  vlan   mac address     type    learn     age              ports

------+----------------+--------+-----+----------+--------------------------

No entries present.

core2#

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        285   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        290   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        300   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        305   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        315   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        320   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        320   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        330   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        335   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        340   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        375   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        405   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        425   Po10

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        465   Gi1/1

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1

core2#show mac address-table | in 0009.0fbb.cc04

core2#show mac address-table | in 0009.0fbb.cc04

core2#sho mac address-table address 0009.0fbb.cc04

Legend: * - primary entry

        age - seconds since last seen

        n/a - not available

  vlan   mac address     type    learn     age              ports

------+----------------+--------+-----+----------+--------------------------

No entries present.

core2#sh int g1/1 trunk

Port                Mode         Encapsulation  Status        Native vlan

Gi1/1               on           802.1q         trunking      1

Port                Vlans allowed on trunk

Gi1/1               64,72,156,214-216,300,600

Port                Vlans allowed and active in management domain

Gi1/1               64,72,156,214-216,300,600

Port                Vlans in spanning tree forwarding state and not pruned

Gi1/1               64,72,156,214-216,300,600

Is it a bug?

Thanks!

I don't think you have a L2 loop because as you say you would probably have far more serious issues than this.

It's hard to say whether it is a bug without understanding -

1) the full topology including root switches etc.

2) what the device actually is and how is it connected ie. is it just one NIC, does it have multiple NICs, is the NIC trunking or not etc.

Is it strange if the access port the device is connected to is configured as an access port in vlan 7 that it is being seen via g1/1 which is not allowing vlan 7 on the trunk.

Difficult to say with the information provided so far.

Jon

Even we don't have a diagram lol We just took over support.

Regarding to that Gi1/1 thing, no matter how the MAC is learned, from a trunk port or access port, it is just a MAC on vlan 7 correct? However why on earth the switch thinks that the MAC is learned from this Gi1/1 which doesn't even permit vlan 7 on it? The device on the other end is a Cisco 3750 switch that is connected on this Gi1/1 and it doesn't even vlan 7 exist...

Regarding to that Gi1/1 thing, no matter how the MAC is learned, from a trunk port or access port, it is just a MAC on vlan 7 correct?

Correct but i was more concerned with the end device to be honest and how it was connected. For example if it had a sinle NIC and the switchport it was connected to was configured as an access port in vlan 7 then what you are seeing is strange.

Jon

I see. The device with the MAC is a big firewall chassis. It has many interfaces, like over 10. It is connected on a 20G etherchannel

interface Port-channel20

description F5140 Sw2 (Members F5,F6)

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 7

switchport mode trunk

switchport nonegotiate

logging event link-status

end

Group  Port-channel  Protocol    Ports

------+-------------+-----------+-----------------------------------------------

20     Po20(SU)        LACP      Te4/7(P)       Te4/8(P)

Okay but only vlan 7 is allowed on that trunk link so if that is the only connection from the firewall to your switch infrastructure then all mac addresses associated with the firewall should be seen in vlan 7 only.

I'm not sure why it is a trunk if it is only allowing vlan 7 ie. why is it not just a port channel interface in vlan 7.

What does a "sh int trunk" show from the switch that the port channel is connected ?

Jon

Actually in my previous show commands, the MAC is learned in vlan 7 only. The MAC was never learned in other vlans

core2#show mac address-table | in 0009.0fbb.cc04

     7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1

Here is the show command you requested

core2#sh int po20 trunk

Port                Mode         Encapsulation  Status        Native vlan

Po20                on           802.1q         trunking      1

Port                Vlans allowed on trunk

Po20                7

Port                Vlans allowed and active in management domain

Po20                7

Port                Vlans in spanning tree forwarding state and not pruned

Po20                7

Thanks!

That is strange.

Clearly your outputs show gi1/1 not allowing vlan 7 but your mac address outputs show it being learnt on that port.

What does a "sh int trunk" show from the access switch on the port connecting to g1/1 on core 2 ?

Jon

I actually already provided it in my previous post but here it is again..

core2#sh int g1/1 trunk

Port                Mode         Encapsulation  Status        Native vlan

Gi1/1               on           802.1q         trunking      1

Port                Vlans allowed on trunk

Gi1/1               64,72,156,214-216,300,600

Port                Vlans allowed and active in management domain

Gi1/1               64,72,156,214-216,300,600

Port                Vlans in spanning tree forwarding state and not pruned

Gi1/1               64,72,156,214-216,300,600

I will have to work on something else... Might not respond to your questions right away. Thank you very much for your help no matter how this turns out.