Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
1
Replies

Same mac over 2 Vlans on L2 switch connected to ACE - should i be concerned

tekjansen101
Level 1
Level 1

‎01-28-2011 03:44 AM

Hello all,

We have a pair or ACEs peered in our network which is connected via a series of layer 2 switches. The ACEs are unfortunately running in a hybrid inline-bridge + one arm configuration. The story goes that the supplier that undertook the installation configured the boxes to run in one arm mode with source NAT to ensure return traffic hits the ACE, however this didnt sit well with certain application administrators that lost client IP information (setup is in a DMZ). So any how ... we've migrated 'most all the servers off the client/gateway facing segment to the server vlan ... (bvi setup now instead of svi)...

Now that your'e all caught up .... i've been meaning to ask about a behaviour that cant possibly be healthy. When you look at the cam tables on the L2 switches that interconnect the aces, servers and gateway together, often times you see the same mac-address being learnt over both the vlans that have been bridged together. For instance if in my case VLAN 18 is the client/gateway facing vlan whereas 118 is the server side vlan, if server X is connected to vlan 118 access port on the layer 2 switch, a "show mac-add | inc xxxx" on a layer 2 switch to which the ace is connected will show

18   xxxx Fa0/Y

118 xxxx Fa0/Y

Fa0/Y being the interface connected to the ACE nlb.

I get that the ACE is bridging L2 traffic between Vlans 18 and 118 and that what happens is that when the switch hears server X speak, it probably hears it out of both vlans since vlan 118 is bridged to vlan 18 and both frames arrive at the switch, which in turn updates its cam table in kind.

My question is ... is this desirable/expected ? And can it lead into any potential complications like Duplicates or the same request ingress/egressing the server multiple times ?

Can I / Should I do anything to mitigate this ? Would passing BPDUs help ?

I hope the above is clear. Sorry for the length of the post.

Labels:
0 Helpful
1 Reply 1

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎01-30-2011 11:43 PM

Hi

From what you describe, you have both vlans of the ACE connected to the same switch. In that situation it's normal to see the MAC addresses in the tables for both vlans, because, as you already mentioned in your post, the packet is seen on both vlans.

This is nothing to be worried about, because when a switch gets a packet on a L2 vlan, it will only send it out on the ports connected to that same vlan. It will only send it out on a different one if they are either bridged somehow by the switch (which should not be the case) or if the packet is hitting a L3 interface and needs to be routed.

In this topology you are seeing, a reply from the server (which is the one updating the mac-address-table on the switch) will arrive on the server vlan, it will be sent out towards the ACE, arrive again on the client vlan, and assuming that the clients are not directly connected, hit the L3 interface on the client vlan and get routed back to the clients.

I hope this answers your question

Daniel

0 Helpful
Customers Also Viewed These Support Documents