Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3089
Views
0
Helpful
19
Replies

Router learns MAC address from switch that doesn't have it?

chd
Level 1
Level 1

‎01-15-2019 12:06 PM - edited ‎03-08-2019 05:02 PM

I need help understanding how a router learns a MAC address from a switch that doesn't appear to have it?

The router is C9500-40X, and the directly connected switch is WS-C3850-24XU.

From the router:

#sh mac add add 0000.00ff.ef52
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 100    0000.00ff.ef52    DYNAMIC     Te1/0/9
 108    0000.00ff.ef52    DYNAMIC     Te1/0/9
 110    0000.00ff.ef52    DYNAMIC     Te1/0/9
 120    0000.00ff.ef52    DYNAMIC     Te1/0/9
 180    0000.00ff.ef52    DYNAMIC     Te1/0/9
 181    0000.00ff.ef52    DYNAMIC     Te1/0/9
 182    0000.00ff.ef52    DYNAMIC     Te1/0/9
 183    0000.00ff.ef52    DYNAMIC     Te1/0/9
 184    0000.00ff.ef52    DYNAMIC     Te1/0/9
 185    0000.00ff.ef52    DYNAMIC     Te1/0/9
 186    0000.00ff.ef52    DYNAMIC     Te1/0/9
 187    0000.00ff.ef52    DYNAMIC     Te1/0/9
 188    0000.00ff.ef52    DYNAMIC     Te1/0/9
 200    0000.00ff.ef52    DYNAMIC     Te1/0/9
 300    0000.00ff.ef52    DYNAMIC     Te1/0/9
 800    0000.00ff.ef52    DYNAMIC     Te1/0/9
 801    0000.00ff.ef52    DYNAMIC     Te1/0/9
 875    0000.00ff.ef52    DYNAMIC     Te1/0/9
 910    0000.00ff.ef52    DYNAMIC     Te1/0/9
Total Mac Addresses for this criterion: 19

#sh cdp nei Te1/0/9
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
216-501-cis2
                 Ten 1/0/9         145              S I   WS-C3850- Ten 1/1/4

Total cdp entries displayed : 1

When I connect to that switch though, it's not there:

216-501-cis2#sh mac add add 0000.00ff.ef52
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
216-501-cis2#

If I shut down the interface (Ten1/0/9) on the 9500 then the MAC address table entries go away, and when I bring it back up again they come back, so it's not something old and leftover -- it's actively re-learned more or less immediately.

 

Also interesting is that I see this MAC address across multiple VLANs, but not all existing vlans. I've also verified that this MAC address is not the address of any of the interfaces on these devices.

Any suggestions as to how this MAC address table is being learned?

Thanks!!

-Chris

2 people had this problem
Labels:
0 Helpful
19 Replies 19

Hulk8647
Level 1
Level 1

‎01-15-2019 12:25 PM

The mac address apperars to be of a XEROX CORPORATION

Do you have XEROX machine somewhere?

0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 12:27 PM

Not that I know of, but some user in this building probably does. Even if so, I should be able to see where the address was learned from the 3850, right? But it doesn't seem to have it at all, which is what I don't get.
0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 12:33 PM

have you tried doing this on the switch for the heck of it just to ensure.

 

sh mac add | i f52
0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 12:35 PM - edited ‎01-15-2019 12:39 PM

also, can you do this on the switch and router, see if there is an IP attached to the ARP

show arp

 

0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 12:40 PM

Yep, did that. "sh mac add | in f52" returns nothing.

 

"show arp" returns a handful of entries, none for this address.

216-501-cis2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.3.1              2   0000.0c07.ac01  ARPA   Vlan900
Internet  172.16.3.16             0   0072.78cd.9bc1  ARPA   Vlan900
Internet  172.16.3.17             -   682c.7b3f.7fc5  ARPA   Vlan900
Internet  172.16.3.18             1   0072.78cd.ec41  ARPA   Vlan900
Internet  172.16.3.19             0   682c.7b3f.8fc5  ARPA   Vlan900
Internet  172.16.3.20             1   0072.78cd.f641  ARPA   Vlan900
Internet  172.16.3.21             0   682c.7b3f.9045  ARPA   Vlan900
Internet  172.16.3.22             3   0072.7873.0f41  ARPA   Vlan900
216-501-cis2#

Also, "sh int | in ef52" returns nothing (verifying it's not a local interface).

0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 12:45 PM

Ok, and you did show arp on router too and nothing there?

0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 12:51 PM

"Ok, and you did show arp on router too and nothing there?"

Correct. It's in the MAC forwarding table, but not in the arp table. (Any of them -- there are several VRFs configured, but I checked them all).
0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 12:52 PM

can you show how your switchport configs look like? sh run int ###
0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 12:55 PM

The C9500 port connecting to the 3850 switch:

interface TenGigabitEthernet1/0/9
 switchport trunk native vlan 999
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event spanning-tree
 spanning-tree portfast disable
end

The 3850 switch port connecting back to the 9500:

interface TenGigabitEthernet1/1/4
 description 216-03-cir2 C9500-40X Ten 1/0/9
 switchport trunk native vlan 999
 switchport mode trunk
 logging event link-status
 logging event trunk-status
 logging event spanning-tree
 spanning-tree portfast disable
 ip dhcp snooping trust
end
0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 12:57 PM

Sorry, meant your config of regular host ports. dont have anything port-security enabled anywhere or anything?
0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 01:00 PM

We do have port security enabled generally, though there's nothing connected to this switch yet except the management interface for a UPS.

The default configuration out to and end station looks like this though, unless it needs to be modified for a particular case:

interface TenGigabitEthernetXXXX
 switchport access vlan XXX
 switchport mode access
 switchport voice vlan 200
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 no logging event link-status
 spanning-tree portfast
 ip dhcp snooping limit rate 15
0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 01:03 PM - edited ‎01-15-2019 01:03 PM

on version are you on?

0 Helpful

chd
Level 1
Level 1
In response to Hulk8647

‎01-15-2019 01:10 PM

Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.5b

0 Helpful

Hulk8647
Level 1
Level 1
In response to chd

‎01-15-2019 01:17 PM

since you said there is nothing connected to the host ports on the switch for the router to detect the MAC address in question, there must be something lingering on the router that hold that MAC. have you tried clearing the "mac address table" on the router? also, have you check for any weird mac address configs on the router that would force this?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card