cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1138
Views
0
Helpful
5
Replies

multiple MAC addresses on a switchport

cisco24x7
Level 6
Level 6

I have a pair of Checkpoint NGx R65

running in ClusterXL Active/Active

Unicast mode.

Eth0 of FW1 is connect to Catalyst switch SW1 6513 port 7/7 and Eth0 of FW2

is connected to Catalyst switch SW2 6513 port 7/8. There is an EtherChannel

trunk between these two switches.

When I connect to SW1 and run "show cam dynamic 7/7" I see this:

CAT6513-1> sh cam dynamic 7/7

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry $ = Dot1x Security Entry M = Mac-Auth-Bypass Entry

Destination Ports or

VLAN Dest MAC/Route Des [CoS] Age VCs / [Protocol Type]

---- ------------------ ----- ---------- ---------------------

199 00-15-17-79-12-c6 0 7/7 [ALL]

199 00-d0-fe-8e-40-03 0 7/7 [ALL]

199 00-00-00-00-fe-00 0 7/7 [ALL]

199 00-d0-fe-8e-64-03 0 7/7 [ALL]

Total Matching CAM Entries Displayed = 4

CAT6513>

00-15-17-79-12-c6 = Firewall #1 physical MAC address

00-d0-fe-8e-40-03 = Cisco MAC address (no idea where it comes from)

00-00-00-00-fe-00 = Firewall #1 ClusterXL MAC address

00-d0-fe-8e-64-03 = Cisco MAC address (no idea where it comes from)

can someone tell me where the other Cisco

MAC addresses come from? I could not

find those mac addresses anywhere on the

switchports on both switches.

Thanks in advance.

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello David,

I would look at the other Catalyst CAT6513-2 they send out some L2 multicast frames for CDP, VTP and so on. In sending these frames they use their own MAC addresses as source.

verify with a sh module if 00-d0-fe-8e-40-03 and 00-d0-fe-8e-64-03 are in the MAC address block of device CAT6513-2

Hope to help

Giuseppe

David,

A MAC address earch reveals:-

MAC Address

Prefix Vendor

00D0FE Astral Point

Astral point are an optical fibre transmission manufactoring company, what is the trunk between the swtiches? Is it fibre?

HTH>

Thank you guys. I will check. Andrew, yes, they are connected by fibre.

If I replace the Checkpoint NGx R65 firewalls

with Checkpoint NG with Application Intelligence

R55 firewalls, I will NOT see those MAC

addresses on the switchport. Why?

Hello David,

probably they have a different behaviour on L2 traffic.

If you can, try to use SPAN to capture the traffic and you will see what kind of frames have source MAC address the ones you see on switch.

What is strange is that the Astral should be in the middle so you should always see its frames !

Hope to help

Giuseppe

pet.goh
Level 1
Level 1

Review Cisco Networking for a $25 gift card