If I have a 6509 that I am routing with... and I have an ip on a vlan. 6 ports in the vlan. When it routes a packet through that vlan... does it forward the packet out all interfaces in that vlan??
Here is where the question stems from. I have a 5500 with an 8510 router in it. The 5500 has a server plugged into port 10/12. The 8510 has a port channel int 1.256. The server (port 10/12) is in vlan 256. I am spanning to a different port (10/4) to do packet caps and see all kinds of tcp traffic (the span port is a host port not a trunk) not destined for the server...
I think it would require a bit more specific information to be able to help solve your issue (in particular some details about how your SPAN is configured, and how the VLAN and trunks are configured, and it would be very helpful to have some particulars about at least a couple of packets in the capture that you did not expect). But in general I believe that we can provide a high level answer to your question. What the router/switch does in forwarding a packet depends on a couple of things. If the packet destination is multicast then the frame is flooded to switch ports (dependent on whether IGMP/CGMP is configured and active). If the packet destination is unicast then the switch looks for the destination MAC in its layer 2 forwarding table (CAM on your switch). If it finds a match in the CAM it is forwarded to the specific port, but if it does not find a match in the CAM the frame is flooded to all ports in the VLAN.
Also of note, when the router made a forwarding decision it needed to resolve the IP address to a MAC. You would think this implies that the MAC should be in the CAM. But since the ARP timeout on the router (4 hours by default) is longer than the CAM aging timer there is a real possibility that the router will forward frames which may be flooded by the switch.
If this does not answer your question please provide some specifics on how the SPAN is configured, how the VLAN is configured, how the trunking is configured, and the source/destination addresses and protocol port numbers of some packets in the capture that you did not expect.
I looked at the log file that you posted and do not see anything out of the ordinary.
It is indeed interesting that snoop on the server port sees only the correct traffic.
I do not know if you want to go further with this, but if you do it might be interesting to see the output of show cam dynamic 256. I am particularly wondering if there might be some MAC address still associated with the span port.
I think that the other possibility to consider is that there may be some unicast flooding going on. One way to investigate this would be to do a fresh capture, look for unexpected packets, find the destination MAC address of the unexpected packet, and look in the cam of the switch to see if it is there. If the destination MAC is not in the cam then I would expect it to be flooded to all ports.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...