Solved: The same MAC addresses appearing in multiple VLANs

DavidGoodman24792 · ‎04-13-2020

Hi

Background

I have setup an SG300-28 as a layer 2 switch with multiple VLANs.

There are the following VLANS

1

Default

Enabled

100

BT ADSL+ Firewalled

Static

Enabled

200

Virgin Fibre Firewalled

Static

Enabled

300

Tardis Backup LAN

Static

Enabled

500

BT ADSL+ RAW

Static

Disabled

Enabled

600

Virgin Fibre RAW

Static

Disabled

Enabled

The interface ports are all set as Access mode and are either assigned to the VLAN or left to default.

The Fibre combo port GE28 can be set as either Trunk or Access - the issue is the same.

I also use Fortigate Firewalls with a WAN interface, DMZ interface and LAN internal interface

The Firewall rules block any traffic from the internal interface going to or from either the WAN or LAN interface

---------------------------------------------------------------------------------

The concern.

When I look at the MAC Address Tables -> Dynamic Addresses I find that MAC addresses belonging on my

default VLAN, essential my in house LAN, are also listed as appearing on ports of multiple other VLANS

and always on the interfaces that connect to my Fortigate Firewalls that are in bridge mode to the respective vendors routers.

Not on the VLAN 300 which has devices running on it.

VLAN 1 : Interface GE28 - Fibre connection to another 6 Cisco SG300-28pp switches .

VLAN 100 : Interface GE1 - Connection to Fortigate firewall responsible for BT WAN

VLAN 200 : Interface GE13 - Connection to Fortigate firewall responsible for Virgin Fibre WAN

VLAN ID MAC Address Interface

VLAN 1	78:3e:53:41:8c:16	GE28
VLAN 100	78:3e:53:41:8c:16	GE1
VLAN 200	78:3e:53:41:8c:16	GE13

-----------------------------------------------------------------------------------------

The Question.

How is this happening ?

What are the security implications ?

How can I prevent this ?

Looking forward to some assistance in resolving this headache

David

DavidGoodman24792 · ‎04-14-2020

Puneet

Thank you.

Actually the mac adddress is just an example. every mac address from my lan reappears on the VLAN 100 and VLAN 200.

To make it stop , I have had to unplug the LAN interfaces of my Fortigate 60E devices.

It would appear that the problem is with the Fortigate boxes.

The configuration is as per the diagram below, with the Fortigate 60E in

transparent mode acting as a firewall only and no internal routing between the

WAN or DMZ and the LAN.

CISCO SG300-28

+-------------------+

+-----------------+ |-----> Server 1 | |

WAN 1 >>---| FORTIGATE 60E | ----->>>> DMZ +-----> Server 2 ----> | I/F set to VLAN 100 |

+--------+--------+ |-----> Server 3 | |

LAN | | |

internal +--------------------------->>>> In house network ----> | I/F VLAN 1 |

| |

internal +--------------------------->>>> In house network ----> | I/F VLAN 1 |

LAN | | |

+--------+--------+ |-----> Server 4 | |

WAN 2 >>---| FORTIGATE 60E | ----->>>> DMZ +-----> Server 5 ----> | I/F set to VLAN 200 |

+-----------------+ |-----> Server 6 | |

| |

Computer 1 ----> | I/F VLAN 1 |

Computer 2 ----> | I/F VLAN 1 |

+-------------------+

It appears that the Fortigate 60E sees mac addresses for Computer 1 and Computer 2 on its LAN interface

and repeats them on the DMZ interface which then makes them reappear on different ports.

This is causing delays in ARP processing as the MAC addresses are appearing as available on two

physical interfaces.

If anyone knows how to cure the Fortigates or any other help, I would be greatful.

Regards

David

View solution in original post

psandel · ‎04-14-2020

Hi David,

Hello once again. :)

My name is Puneet and I am from Cisco small business support center.

As per your concern kindly let us know that which device is having the MAC address 78:3e:53:41:8c:16

Compare it with your laptop or switch. This has to be MAC address of switch.

Also it has no impact on the security of the network.

Regards,

Puneet Sandel

Technical Consulting Engineer-Level 2

Global CX Centers – Small Business Support

DavidGoodman24792 · ‎04-14-2020

Puneet

Thank you.

Actually the mac adddress is just an example. every mac address from my lan reappears on the VLAN 100 and VLAN 200.

To make it stop , I have had to unplug the LAN interfaces of my Fortigate 60E devices.

It would appear that the problem is with the Fortigate boxes.

The configuration is as per the diagram below, with the Fortigate 60E in

transparent mode acting as a firewall only and no internal routing between the

WAN or DMZ and the LAN.

CISCO SG300-28

+-------------------+

+-----------------+ |-----> Server 1 | |

WAN 1 >>---| FORTIGATE 60E | ----->>>> DMZ +-----> Server 2 ----> | I/F set to VLAN 100 |

+--------+--------+ |-----> Server 3 | |

LAN | | |

internal +--------------------------->>>> In house network ----> | I/F VLAN 1 |

| |

internal +--------------------------->>>> In house network ----> | I/F VLAN 1 |

LAN | | |

+--------+--------+ |-----> Server 4 | |

WAN 2 >>---| FORTIGATE 60E | ----->>>> DMZ +-----> Server 5 ----> | I/F set to VLAN 200 |

+-----------------+ |-----> Server 6 | |

| |

Computer 1 ----> | I/F VLAN 1 |

Computer 2 ----> | I/F VLAN 1 |

+-------------------+

It appears that the Fortigate 60E sees mac addresses for Computer 1 and Computer 2 on its LAN interface

and repeats them on the DMZ interface which then makes them reappear on different ports.

This is causing delays in ARP processing as the MAC addresses are appearing as available on two

physical interfaces.

If anyone knows how to cure the Fortigates or any other help, I would be greatful.

Regards

David