Clustered server MAC address missing from Table

scottwilliamson · ‎10-11-2011

Hi,

We have strange behaviour on one of our VLANs; the traffic meant for one server address 172.X.Y.16 seems to appear on several of the other servers in the VLAN (our server team sniffed the traffin on the servers directly). Also, the MAC address associated with the cluster of IP addresses is missing from the MAC table:

Mw6509VSS#sh ip arp 172.X.Y.16
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 172.X.Y.16         218   02bf.ac14.6e10 ARPA   Vlan140
Mw6509VSS#
Mw6509VSS#sh ip arp   02bf.ac14.6e10
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 172.X.Y.16         219   02bf.ac14.6e10 ARPA   Vlan140
Internet 172.X.Y.14         216   02bf.ac14.6e10 ARPA   Vlan140
Internet 172.X.Y.15          41   02bf.ac14.6e10 ARPA   Vlan140

But:

Mw6509VSS#sh mac- address 02bf.ac14.6e10
Legend: * - primary entry
age - seconds since last seen
n/a - not available

vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------
No entries present.

Can anyone tell me what is going on? We are running 12.2(33)SXI5 on our 6509 VSS.

Many Thanks

Scott

cadet alain · ‎10-11-2011

Hi,

the entries in the arp cache were being learned a long time ago, I think the timeout is 4 hours but the entries in CAM table timeout after 5 mins.So if you haven't received traffic from this MAC address for less than 5 mins it's normal it is not in the CAM table but still in the arp cache.

Regards.

Alain.

Don't forget to rate helpful posts.

scottwilliamson · ‎10-11-2011

Thanks Alain, but I don't think it is that simple, there is definitely traffic going to the .16 address but yet there is no MAC table entry, also there is another example of this (three IP addresses, one MAC in ARP but no MAC table entry).

cadet alain · ‎10-11-2011

Hi,

to rule out this simple reason then just clear arp cache, create traffic for this IP/MAC and look at CAM table again

Alain.

Don't forget to rate helpful posts.

Chakradhar Thammineni · ‎01-28-2015

Hi,

Mostly this behaviour is due to Microsoft NLBs, if any MAC starting with 02bf, it is definitely Software load balancer cluster.

From a client, ping the IP address of your NLB cluster.

From the same client, run arp -a fom the command prompt.

You should see something like this (I will assume 192.168.2.11 for the NLB cluster IP address):

Internet Address Physical Address Type

192.168.2.11 02-bf-c0-a8-02-0b Dynamic

It will list other addresses and their MACs as well, but we are only interested in the NLB address. 02-bf-c0-a8-02-0b breaks down into nice little components like so:

The first number is the type of NLB configuration: 01=IGMP, 02=Unicast, 03=Multicast

The second number, (bf), is unknown in its origin, but it is the same for all NLB configurations

The next four numbers are the IP address, i.e. c0=192, a8=168, 02=2, 0b=11 and thus the IP of 192.168.2.11.

faquilino · ‎08-11-2016

Hello,

By design, the NLB never send frames with this mac address as source. Thus, the switch never learns the mac and flood the entire VLAN (or multicast group).

See http://blogs.msmvps.com/clusterhelp/2006/06/24/network-load-balancing-and-mac-addresses/