Re: Lost MAC address for Uplink to Palo Alto firewall in select VLANs

aweise · ‎08-06-2021

We have a 3650 switch as our access switch in our branch offices. The uplink goes to a Palo Alto firewall (PA-220) on a single trunk port, where we trunk multiple VLANs. We use a separate router to terminate the WAN circuits. The general topology is like so:

Cisco 1111x-8P <-----> Palo Alto firewall <-----> Cisco 3650 switch

I am occasionally seeing a situation where see the MAC address of the Palo Alto in various VLANs, but not all of them. Here is the configuration for the uplink port (Gi1/0/48 is the uplink port):

interface GigabitEthernet1/0/48
description *** Uplink to FW01 Eth1/2 ***
switchport trunk native vlan 999
switchport trunk allowed vlan 100,101,104,105,107-111,120,125,131,138,170,171
switchport trunk allowed vlan add 500,600
switchport mode trunk
switchport block multicast
switchport block unicast
load-interval 30
auto qos trust dscp
spanning-tree portfast
spanning-tree guard root
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

When I look at the MAC address table for anything on the uplink, I see this:

#sh mac address-table | inc 1/0/48
100 c424.5674.4911 DYNAMIC Gi1/0/48
101 c424.5674.4911 DYNAMIC Gi1/0/48
120 c424.5674.4911 DYNAMIC Gi1/0/48
500 c424.5674.4911 DYNAMIC Gi1/0/48
600 c424.5674.4911 DYNAMIC Gi1/0/48
170 c424.5674.4911 DYNAMIC Gi1/0/48
108 c424.5674.4911 DYNAMIC Gi1/0/48

Notice that I'm missing a handful of VLANs - 104, 105, 107, 109, among others. When I look at the MAC address table for anything in VLAN 109, I see the MAC from the access port, but not the uplink:

#sh mac address-table | inc 109
109 000b.9421.4880 STATIC Gi1/0/47

One way to remedy this is to ping a device in one of those VLANs and I'm then able to see the MAC on the uplink.

Why would this happen? It seems like any traffic generated to that VLAN would need to refresh the mac address table.

Would specifying the aging time to be longer than the default help this?

Elliot Dierksen · ‎08-06-2021

Why do you have these commands on that trunk port?

switchport block multicast
switchport block unicast

The guide for that commands says this:

Blocks unknown unicast forwarding to the port.

Which stops it from acting like a normal switch port. That could cause it to drop MAC addresses from the table. If you take those two commands off that interface, does that resolve the problem?

aweise · ‎08-09-2021

Elliot - we've been pretty cautious about what traffic gets forwarded over our trunk uplinks, but I can try removing these to see if that helps. We've had the same issue at other locations where these commands are NOT configured, so I didn't think that was the issue.

balaji.bandi · ‎08-06-2021

Notice that I'm missing a handful of VLANs - 104, 105, 107, 109, among others. When I look at the MAC address table for anything in VLAN 109, I see the MAC from the access port, but not the uplink:

where is the SVI for these VLANs ? (i means Layer 3 interface ?) - if you look at the above all MAC Address is same. when you ping the device you see the MAC address as same or different ?

#sh mac address-table | inc 109
109 000b.9421.4880 STATIC Gi1/0/47

This MAC address is different so this end device? what device is this?

One way to remedy this is to ping a device in one of those VLANs and I'm then able to see the MAC on the uplink.

what is the end device connected ? Maybe they going to sleep mode if there is no traffic.

At this stage not sure what was the issue, we can not pinpoint it, please post the below information.

show version

show run

show ip interface brief

show vlan

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

aweise · ‎08-09-2021

balaji.bandi,

This is a layer 2 switch - there are no SVIs. As I indicated, layer 3 gets terminated on a firewall that's connected to this trunk port.

jamestemp · ‎08-09-2021

It's not a good idea to use the same VLAN and subnet for cable and wireless connections. This could result in you being confused, similar to how it was the case with your parents. The loop formed by connecting both cable AND wireless to your computer is known as VLAN251. It's possible that you have bridge-enabled on your computer. STP running on this might make the wireless port unable to function. It can be considered to be Up by IPStack still, i.e. it will respond to Pings using the Ethernet interface.

My understanding of what could be happening is: Switch1 sends out an ARP Request broadcasting to VLAN251 every time you attempt to Ping your PC. The cable is used to transfer the data to the computer. It then responds, knowing that the wireless interface has 10.149.251.33. The ARP Reply is a result of the Ethernet interface on the PC. dirtyroulette. The Switch1 now knows the MAC address (included within the ARP Reply Pack).

This theory is not the only reason Switch3 can identify the MAC address to the wireless interface. It's possible the Switch3 could be disrupting the STP loop and the PC is responding to Pings from the Ethernet interface because of an unintentional route. You could also try something more difficult. However, it's not advisable to connect two interfaces to the VLAN of a PC.

Thank you