Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1988
Views
0
Helpful
8
Replies

Nokia Firewalls sending frames with duplicate MAC address

hbaerten
Level 4
Level 4

‎07-29-2002 01:08 AM - edited ‎03-02-2019 12:14 AM

Hi,

since our firewall supplier does not seem to be able to come up with a proper solution, I thought maybe an approach from a different angle might work.

Setup:

[Nokia1] -- [switchA] -- [switchB] -- [switchC] -- [switchD] -- [Nokia2]

The switches are c2912 and c2924M models, firewalls are Nokia IP440 and IP530 with Checkpoint NG.

(Actually there are 6 firewalls in total, above is a simplified scheme)

All firewall interfaces discussed here are in the same vlan.

Problem:

since the upgrade of the firewalls to NG, we get errors on the switches:

"Jul 29 10:00:16.387 CEDT: %RTD-1-ADDR_FLAP: FastEthernet0/1 relearning 84 addrs per min".

When we check the mac-address-table, there is one address 0000.0000.fe01 flapping between the ports the firewalls are connected to and the trunks.

When sniffing this vlan, we notice that all firewalls are sending frames with the same source mac address 0000.0000.fe01 to the broadcast address ffff.ffff.ffff.

On layer 3 it is UDP traffic to port 8116 which is identified as being Checkpoint state sync.

To me, the proper solution would be to somehow configure the firewalls to use unique mac addresses, but in absence of such a possibility (firewall supplier says it cannot be done), can anyone suggest alternative measures to take?

E.g. can we configure the switches to not learn this specific mac address? It is never used as a destination address so it would not be harmful it it never reaches the mac table...

Thanks in advance for any suggestions.

Labels:
0 Helpful
8 Replies 8

ptrigueira
Level 1
Level 1

‎07-29-2002 03:39 AM

Hi,

Are you using "state sync" for asymmetric routing ??? (where a request comes from one firewall and gets out from another...(from what a read this is not the proper way to do it...

anyway you should connect the two fw direcly with a cross-cable...

0 Helpful

hbaerten
Level 4
Level 4
In response to ptrigueira

‎07-29-2002 04:07 AM

No, we're not doing asymmetric routing, the state sync is used to have stateful failover in combination with VRRP.

The cross cable solution is not an option, as the firewalls are physically at different sites (in fact switchB and switchC in my example are connected via an ATM link). Thanks for the suggestion though.

0 Helpful

alaquiante
Level 1
Level 1

‎08-02-2002 06:34 AM

Hi Herbert,

I would use static entries for the cam table.

Example (3524-XL) for Switch A

(Nokia 1 on int fa0/1 and Switch B on int fa0/2)

Switch#sh mac

Dynamic Address Count: 0

Secure Address Count: 0

Static Address (User-defined) Count: 1

System Self Address Count: 49

Total MAC addresses: 50

Maximum MAC addresses: 8192

Static Address Table:

Destination Address VLAN Input Port Output Ports

------------------- ---- ---------- -----------------------

0000.0000.fe01 1 Fa0/1 Fa0/2

1 Fa0/2 Fa0/1

...

Hope that works for you,

Please give me feedback,

have a great day

Andy

0 Helpful

hbaerten
Level 4
Level 4
In response to alaquiante

‎08-12-2002 03:44 AM

Hi Andy,

thanks for the response but I'm not sure I understand your suggestion.

Say I define 0000.0000.fe01 statically on Fa0/1.

Then a broadcast frame arrives on port Fa0/2 with source 000.000.fe01, what will happen? Will the frame be discarded or forwarded? Will the source address be added to the dynamic address table (conflicting with the static entry) or not?

Anyhow thanks for the tip, I will certainly look into it.

best regards

Herbert

0 Helpful

alaquiante
Level 1
Level 1
In response to hbaerten

‎08-15-2002 06:19 AM

Hi Herbert,

I tried to express the idea to define the mac address statically two times,

which is possible on my 3500XL and it should work on your 2900XL as well.

One config states Fa0/1 as the ingress if and Fa0/2 as the egress if.

The second statement defines for the same MAC address Fa0/2 as the

ingress and Fa0/1 as the egress. The result would be the desired forwarding

charateristic.

Broadcast Frames are always forwarded out of all ports -belonging to the same vlan- except the ingress port. The source MAC should not be relearned

because it is already statically defined.

Hope this helps,

have a great day

Andy

0 Helpful

cheath
Level 1
Level 1

‎08-09-2002 07:54 PM

Just read a Checkpoint tips and tricks document today that indicated that Checkpoint uses the same MAC address on all interfaces. The best bet is to change them to be unique. The document mentioned it for performance enhancement reasons. Your mileage may vary.

Chandler

0 Helpful

cheath
Level 1
Level 1

‎08-09-2002 07:54 PM

Just read a Checkpoint tips and tricks document today that indicated that Checkpoint uses the same MAC address on all interfaces. The best bet is to change them to be unique. The document mentioned it for performance enhancement reasons. Your mileage may vary.

Chandler

0 Helpful

hbaerten
Level 4
Level 4
In response to cheath

‎08-12-2002 03:05 AM

Thanks, but did this document mention _how_ to change the mac address used for state sync?

0 Helpful
Customers Also Viewed These Support Documents