RE: Traffic On switch without mac-address on mac-address table

You mean traffic from router ? where is your router located on the
first or second switch and check arp table of the to see what mac
address is use it to get to active firewall , you also look at routing
table to see is there some routes installed toward standby firewall :)

br,
Atanas Yankov
Data Networks & Security Section
IT Division

CCIE # 21756

mobile: (+359 89) 8400734
e-mail: ayankov_at_globul.bg
www.globul.bg

On Tue, 2009-09-15 at 22:13 +0700, Mark Stephanus Chandra wrote:
> The two switches connected through a trunk, the other switch have normal
> behaviour which is connected to active firewall. It has firewall mac address
> and passing the traffoc. But the other switch which is connected to a
> standby firewall, also passing 2 MBps of real traffic with no Mac-address.
> So we experience a slow performance on our network and we suspect that real
> traffic coming back is going to a blackhole in the standby firewall.
>
> -----Original Message-----
> From: xdsgrrr [mailto:xdsgrrr_at_consultcommerce.com]
> Sent: 15 September 2009 18:58
> To: Mark Stephanus Chandra
> Cc: ccielab_at_groupstudy.com
> Subject: RE: Traffic On switch without mac-address on mac-address table
>
> Hi Mark , it sounds like unicast-flooding for whatever reason ,
> unsymetric routing paths and etc , the first switch is not learning a
> mac address for the destination and the traffic that you see is just
> flooded to all ports , can you provide more information about how is
> two switches are connected ?
> br,
> Atanas Yankov
> Data Networks & Security Section
> IT Division
> Cosmo Bulgaria Mobile
> CCIE # 21756
>
> mobile: (+359 89) 8400734
> e-mail: ayankov_at_globul.bg
> www.globul.bg
> On Tue, 2009-09-15 at 11:45 +0700, Mark Stephanus Chandra wrote:
> > Unfortunately this is a production network L
> >
> >
> >
> > This is a Lyer2 port. The other switch which connected to the active
> > firewall is showing the mac-address.
> >
> >
> >
> > Strange behaviour occur in the other switch which is connected to the
> > standby switch.
> >
> >
> >
> > This is really strange and i have snoop the packet and it is real packet
> > going to the standby switch.
> >
> >
> >
> > From: ALL From_NJ [mailto:all.from.nj_at_gmail.com]
> > Sent: 14 September 2009 21:08
> > To: Iwan Hoogendoorn
> > Cc: Mark Stephanus Chandra; ccielab_at_groupstudy.com
> > Subject: Re: Traffic On switch without mac-address on mac-address table
> >
> >
> >
> > Hope this is not a production network ... ;-)
> >
> > Mark, is this a L3 port? My guess is that it is ... If possible, ping the
> > fw from the switch and then check the arp table via the show ip arp
> command.
> >
> >
> > If your switch does not have a way to ping the FW, and IF IT IS a
> production
> > network, then don't change a thing on the switch. ;-) ... lol
> >
> > Ping the FW interface from another device and you will be able to see the
> > MAC add. HTH,
> >
> > Andrew
> >
> >
> >
> >
> > On Mon, Sep 14, 2009 at 9:02 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> wrote:
> >
> > Hi,
> >
> > What will happen if you plug a laptop in the same switchport you have
> > the firewall on and you do a show mac-address-table on the switch?
> >
> >
> > --
> > Regards,
> >
> > Iwan Hoogendoorn
> > CCIE #13084 (R&S / Security / SP)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com
> >
> >
> >
> > On Mon, Sep 14, 2009 at 11:15 AM, Mark Stephanus Chandra
> > <mark.chandra_at_gmail.com> wrote:
> > > Dear GS,
> > >
> > >
> > >
> > >
> > >
> > > Have you guys ever experienced that you found traffic in one of your
> > > switchport but there is no mac-address destinate on it.
> > >
> > >
> > >
> > > It happens on my switch , one of the switchport facing to a standby
> > firewall
> > > keep generate traffic, but actually there is no mac-address learn via
> that
> > > port.
> > >
> > >
> > >
> > > The firewall is netscreen, have any idea what is the possible
> explanation
> > of
> > > this problem ?
> > >
> > >
> > >
> > >
> > >
> > > Regards
> > >
> > > Mark Stephanus Chandra - CCIE#23887
> > > IT Consultant
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> --
> br,
> Atanas Yankov
> Data Networks & Security Section
> IT Division
>
> CCIE # 21756
>
> mobile: (+359 89) 8400734
> e-mail: ayankov_at_globul.bg
> www.globul.bg
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 4332 (20090813) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 4332 (20090813) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
br,
Atanas Yankov
Data Networks & Security Section
IT Division
CCIE # 21756
mobile: (+359 89) 8400734
e-mail:  ayankov_at_globul.bg
www.globul.bg
Blogs and organic groups at http://www.ccie.net