I'm seeing what appears to be all data on a VLAN being set to every other port on that VLAN across multiple switches connected via dot1q trunks. A packet capture shows me that all the traffic is destined for a single MAC address, one that does not show up in any MAC address table on any of the switches. The first 6 digits of the MAC is 00-50-5a indicating something from Network Alchemy which is now owned by Nokia. We have CheckPoint firewalls on Nokia hardware so I'm thinking they are involved somehow. Am I right to assume that since it's not in the table, Cisco is going to send it to every port in the VLAN until it learns the MAC - which looks like it will never happen?
Any suggestions as to how I find out why the traffic is destined to this MAC address yet it's not in the MAC address table?
You are correct, you are seeing expected behavior. By default all switches should flood unicast traffic that is destined to an unknown mac address.
This can happen for a variety of reasons, but if you don't see the mac address anywhere, its possible that the host does not respond using that MAC address. What I would do to find it is to put wireshark on a PC in the same vlan that you see the flooding. Then PING the IP address that you see this flooded traffic for. What we are looking for is the ARP Response. Perhaps the ARP Response will be sourced from a different MAC address than where it reports the address to be. If that holds true, you can then track down who is sending this ARP Response and figure out why.
If the process of pinging it and forcing the host to send an ARP packet fixes the problem, likely the end host just doesn't put much data on the network, and the MAC address simply times out. In this case you have some options like increasing your CAM aging timer to be higher than ARP timeout. Depending on the situation this may or may not work, but its a good trick to force the CAM table to be up to date w/ the ARP table.
I think I found it: Checkpoint cluster is set to use "Unicast mode" for clustering. CheckPoint then blames Cisco for not honoring it's ARP reply so I have to create static ARP entries for every address hosted by the CheckPoint. Anyone experienced this and can speak to any gotchas I need to be concerned with?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...