Re: Traffic On switch without mac-address on mac-address table from xdsgrrr_at_consultcommerce.com on 2009-09-16 (Ccielab archives 09/2009)

From: <xdsgrrr_at_consultcommerce.com>
Date: Wed, 16 Sep 2009 11:33:19 -0400

I suppose the traffic come from a router right ? Then tell me where is connected this router on first or second switch you can also see the routing table there and see why router forward traffic to standby firewall look at arp table to you maybe set too high value for arp timeout or router learn not right MAC address :)

Best regards ,
Atanas yankov
Data networks & Security
It division
CCIE #21756
Send from HTC hero

----- Reply message -----
From: "Mark Stephanus Chandra" <mark.chandra_at_gmail.com>
Date: Tue, Sep 15, 2009 18:13
Subject: Traffic On switch without mac-address on mac-address table
To: "'xdsgrrr'" <xdsgrrr_at_consultcommerce.com>
Cc: <ccielab_at_groupstudy.com>

The two switches connected through a trunk, the other switch have normal
behaviour which is connected to active firewall. It has firewall mac address
and passing the traffoc. But the other switch which is connected to a
standby firewall, also passing 2 MBps of real traffic with no Mac-address.
So we experience a slow performance on our network and we suspect that real
traffic coming back is going to a blackhole in the standby firewall.

-----Original Message-----
From: xdsgrrr [mailto:xdsgrrr_at_consultcommerce.com]
Sent: 15 September 2009 18:58
To: Mark Stephanus Chandra
Cc: ccielab_at_groupstudy.com
Subject: RE: Traffic On switch without mac-address on mac-address table

Hi Mark , it sounds like unicast-flooding for whatever reason ,
unsymetric routing paths and etc , the first switch is not learning a
mac address for the destination and the traffic that you see is just
flooded to all ports , can you provide more information about how is
two switches are connected ?
br,
Atanas Yankov
Data Networks & Security Section
IT Division
Cosmo Bulgaria Mobile
CCIE # 21756

mobile: (+359 89) 8400734
e-mail: ayankov_at_globul.bg
www.globul.bg
On Tue, 2009-09-15 at 11:45 +0700, Mark Stephanus Chandra wrote:
> Unfortunately this is a production network L
>
>
>
> This is a Lyer2 port. The other switch which connected to the active
> firewall is showing the mac-address.
>
>
>
> Strange behaviour occur in the other switch which is connected to the
> standby switch.
>
>
>
> This is really strange and i have snoop the packet and it is real packet
> going to the standby switch.
>
>
>
> From: ALL From_NJ [mailto:all.from.nj_at_gmail.com]
> Sent: 14 September 2009 21:08
> To: Iwan Hoogendoorn
> Cc: Mark Stephanus Chandra; ccielab_at_groupstudy.com
> Subject: Re: Traffic On switch without mac-address on mac-address table
>
>
>
> Hope this is not a production network ... ;-)
>
> Mark, is this a L3 port? My guess is that it is ... If possible, ping the
> fw from the switch and then check the arp table via the show ip arp
command.
>
>
> If your switch does not have a way to ping the FW, and IF IT IS a
production
> network, then don't change a thing on the switch. ;-) ... lol
>
> Ping the FW interface from another device and you will be able to see the
> MAC add. HTH,
>
> Andrew
>
>
>
>
> On Mon, Sep 14, 2009 at 9:02 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
wrote:
>
> Hi,
>
> What will happen if you plug a laptop in the same switchport you have
> the firewall on and you do a show mac-address-table on the switch?
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
>
> On Mon, Sep 14, 2009 at 11:15 AM, Mark Stephanus Chandra
> <mark.chandra_at_gmail.com> wrote:
> > Dear GS,
> >
> >
> >
> >
> >
> > Have you guys ever experienced that you found traffic in one of your
> > switchport but there is no mac-address destinate on it.
> >
> >
> >
> > It happens on my switch , one of the switchport facing to a standby
> firewall
> > keep generate traffic, but actually there is no mac-address learn via
that
> > port.
> >
> >
> >
> > The firewall is netscreen, have any idea what is the possible
explanation
> of
> > this problem ?
> >
> >
> >
> >
> >
> > Regards
> >
> > Mark Stephanus Chandra - CCIE#23887
> > IT Consultant
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>

-- 
br,
Atanas Yankov
Data Networks & Security Section
IT Division
CCIE # 21756
mobile: (+359 89) 8400734
e-mail:  ayankov_at_globul.bg
www.globul.bg
 
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4332 (20090813) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
 
 
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4332 (20090813) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Blogs and organic groups at http://www.ccie.net

Received on Wed Sep 16 2009 - 11:33:19 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART