Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Router learns MAC address from switch that doesn't have it?

I need help understanding how a router learns a MAC address from a switch that doesn't appear to have it?

The router is C9500-40X, and the directly connected switch is WS-C3850-24XU.

From the router:

#sh mac add add 0000.00ff.ef52
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 100    0000.00ff.ef52    DYNAMIC     Te1/0/9
 108    0000.00ff.ef52    DYNAMIC     Te1/0/9
 110    0000.00ff.ef52    DYNAMIC     Te1/0/9
 120    0000.00ff.ef52    DYNAMIC     Te1/0/9
 180    0000.00ff.ef52    DYNAMIC     Te1/0/9
 181    0000.00ff.ef52    DYNAMIC     Te1/0/9
 182    0000.00ff.ef52    DYNAMIC     Te1/0/9
 183    0000.00ff.ef52    DYNAMIC     Te1/0/9
 184    0000.00ff.ef52    DYNAMIC     Te1/0/9
 185    0000.00ff.ef52    DYNAMIC     Te1/0/9
 186    0000.00ff.ef52    DYNAMIC     Te1/0/9
 187    0000.00ff.ef52    DYNAMIC     Te1/0/9
 188    0000.00ff.ef52    DYNAMIC     Te1/0/9
 200    0000.00ff.ef52    DYNAMIC     Te1/0/9
 300    0000.00ff.ef52    DYNAMIC     Te1/0/9
 800    0000.00ff.ef52    DYNAMIC     Te1/0/9
 801    0000.00ff.ef52    DYNAMIC     Te1/0/9
 875    0000.00ff.ef52    DYNAMIC     Te1/0/9
 910    0000.00ff.ef52    DYNAMIC     Te1/0/9
Total Mac Addresses for this criterion: 19

#sh cdp nei Te1/0/9
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
                 Ten 1/0/9         145              S I   WS-C3850- Ten 1/1/4

Total cdp entries displayed : 1

When I connect to that switch though, it's not there:

216-501-cis2#sh mac add add 0000.00ff.ef52
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

If I shut down the interface (Ten1/0/9) on the 9500 then the MAC address table entries go away, and when I bring it back up again they come back, so it's not something old and leftover -- it's actively re-learned more or less immediately.


Also interesting is that I see this MAC address across multiple VLANs, but not all existing vlans. I've also verified that this MAC address is not the address of any of the interfaces on these devices.

Any suggestions as to how this MAC address table is being learned?




The configuration is pretty standard, but I don't think it's something "lingering" anywhere; I think I mentioned in the original post that if I shut down the interface that connects the 3850, these MAC address entries disappear from the router's forwarding table. (And they disappear from the tables in all the other devices in the LAN too.)


Note that with this link shut down, the switch IS still reachable through an alternate path, but this MAC address is not re-learned. [EDIT: Not True -- sorry. It does get re-learned through the alternate path, it just took a little time. Sorry for the misleading assumption.]


When I bring the router interface back up, the MAC address table entries return, though the connected switch never learns them (all the other switches in the LAN do).

ok, so the primary link is direct connection, to the switch and the backup, is that also direct?

just to be 100% clear, you have no ACTIVE ports on the switch besides the trunk? no hosts and no other switches, etc?

Either way, the only thing I can think of left is:

- now that you have the backup link going, check arp now on the router and see if its different

- if you have dhcp configured on the router or switch, check for dhcp binding, maybe the device got an IP

- try using “switch port-mapping” tool, maybe that will detect it

- turn on logging on the switch, level 7, turn on your logging on switch ports, ( just remove “no logging event link-status”) maybe you’ll be able to  get some traces/logs etcc. From there

- I see you have dhcp snooping enabled, do you have that propagated across all vlans?

Evgeny Taskaev

I faced with this strange situation also.
I have dozen WS-C3850-48P with IOS Version 16.3.7 connected to central WS-C4507R+E.
I have a lot of MACs like 0000.00ff.* on the central switch and nowhere else.
I guess it may be connected with RSPAN, configured in our environment.

I have not saw MACs 0000.00ff.* from test switch until i have configured RSPAN on it.


monitor session 1 source vlan 311
monitor session 1 destination remote vlan 901


And then it appeared on the central switch:

C4507#sh mac ad
vlan mac address type protocols port
311 0000.00ff.f02e dynamic ip,ipx,assigned,other Port-channel63


I face the same situation too. 

We have two core 4503 in VSS. Access switches 3650 and 2960.

A lot of 0000.00ff.xxxx ac addressess on all switches. It's imposible to locate switch's port the mac address originated from - they don't exist in mac table of the last switch in chain.

mac table looks like

100 0000.00ff.e69c dynamic ip,ipx,assigned,other GigabitEthernet2/3/3
100 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
100 0000.00ff.e8ee dynamic ip,ipx,assigned,other Port-channel1
100 0000.00ff.ebd0 dynamic ip,ipx,assigned,other Port-channel24
100 0000.00ff.ec8a dynamic ip,ipx,assigned,other Port-channel26
100 0000.00ff.ee38 dynamic ip,ipx,assigned,other GigabitEthernet1/3/3
100 0000.00ff.efb8 dynamic ip,ipx,assigned,other Port-channel22
100 0008.e3ff.fc28 static ip,ipx,assigned,other Switch
100 3890.a5a5.c0d1 dynamic ip,ipx,assigned,other Port-channel2


the same mac address can be shown on differemt vlans:


#sh mac address-table | in 0000.00ff.e8aa
100 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
101 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
200 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
201 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
700 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
710 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
720 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25
730 0000.00ff.e8aa dynamic ip,ipx,assigned,other Port-channel25


May be it's important - the largest amount of those mac addresses is on vlan 730. Vlan 730 is Guest Wi-Fi vlan. We have FlexConnect APs there with central authentication and local switching scheme.


Where can all of those mac addresses appear from?