Same VRRP mac address, different vlans, different source port.

Garry Cross · ‎04-12-2013

I have run into a situation with same mac address, different vlans, different source ports.

The MAC in question happens to be a VRRP virtual mac.

One can imagine this could happen if two different admin groups configure the VRID of the two different devices with the same ID. You end up with the same virtual mac for both of these devices.

What this results in on a 3560X, not sure of other Cisco switches, is the mac is flapping between the two vlans. This results in unicast flooding occuring on whatever vlan happens not to have the mac in its forwarding table when a packet to that destination is recieved by the switch.

Normally this behavior would go unnoticed. In my case I found it troubleshooting another problem and it happens to be affecting a Riverbed Steelhead, causing it to learn destinations we don't want it to know about, bypassing the designed routing path.

Gregory Snipes · ‎04-12-2013

This should not be a problem. As long as the VLANs are not bridged together, having one MAC address in two VLANs should not give you any trouble. Both the ARP table and the MAC address table store the MAC with reference to the VLAN, it should not "flap".

That said, if you do have some weird circumstance where this is an issue, you could always switch over to HSRP. With HSRP you can use different group number to manipulate the MAC of just strait up configure a different MAC.

Garry Cross · ‎04-12-2013

The VRID can be changed similar to the HSRP group number and that will change the mac.

Also the mac can be staticly configured as well.

Thanks for the feedback.

Gregory Snipes · ‎04-12-2013

The VRID is set for the whole router. the group number used by HSRP in its virtual mac can be manipulate on a per -interface basis. I was not aware VRRP can statically code the MAC, I just tried to do so on an IOS 15 device and was unable to find a command to let me do so. What command are you using to statically code the MAC? Has statically coding the MAC not fixed this problem?

Garry Cross · ‎04-12-2013

It is a Checkpoint firewall that is using VRRP. I am only assuming the VRID can be changed on it. I don't admin the checkpoint. The same firewall is running VRRP on other vlans with a different virtual mac. The mac in this instance with the issue is 0000.5e00.011e.

Thanks.

JimmyZ · ‎05-03-2018

Yes, in Check Point you can put multiple interfaces in the same VRRP group. If you do this they will all have the same MAC for the associated VRRP IPs. As mentioned, this should not be a problem, but I found the destination traffic getting blasted across trunks in directions it should not be going. So I started looking at the MAC table and found this.

This was taken in rapid succession, ~5 seconds.

NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
45 0000.5e00.0165 DYNAMIC Gi1/0/9
NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
1 0000.5e00.0165 DYNAMIC Gi1/0/6
NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
721 0000.5e00.0165 DYNAMIC Gi1/0/5
20 0000.5e00.0165 DYNAMIC Gi1/0/7
40 0000.5e00.0165 DYNAMIC Gi1/0/2
45 0000.5e00.0165 DYNAMIC Gi1/0/9
50 0000.5e00.0165 DYNAMIC Gi1/0/3
80 0000.5e00.0165 DYNAMIC Gi1/0/4
100 0000.5e00.0165 DYNAMIC Gi1/0/8
NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
721 0000.5e00.0165 DYNAMIC Gi1/0/5
NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
721 0000.5e00.0165 DYNAMIC Gi1/0/5
20 0000.5e00.0165 DYNAMIC Gi1/0/7
40 0000.5e00.0165 DYNAMIC Gi1/0/2
45 0000.5e00.0165 DYNAMIC Gi1/0/9
50 0000.5e00.0165 DYNAMIC Gi1/0/3
80 0000.5e00.0165 DYNAMIC Gi1/0/4
90 0000.5e00.0165 DYNAMIC Gi1/0/10
100 0000.5e00.0165 DYNAMIC Gi1/0/8
NSW-MARS-01#sh mac address-table | in 0000.5e00.0165
721 0000.5e00.0165 DYNAMIC Gi1/0/5

I didn't set this up, but will be changing it to where each interface has its own ID and thus MAC. Hope this helps.