If you have a L2 NAC which forces all traffic through itself then it is possible that a frame will need to leave site A, get switched through to site B only to return to site A, all with the same MAC address.
There is a legitimate but ill-advised network design which can cause issues. The issue with an annexe VLAN is that a local loop is no longer so local and could cause problems everywhere, both for you and others. Here are a couple of resources: STP is your friend and Implementing Spanning Tree. If you don’t run STP then you are far more likely to suffer from network loops. There are two or three common causes that we see. If for some reason your MAC addresses appear from different locations you will get dropped packets and our logs will fill up with messages which cause issues when we raise a support case with Cisco as our network appears to have loops. To return to the the issues MAC flaps will cause on your network, each switch in the backbone has a MAC address-table for your VLAN.
VLANs with a Layer 3 interface or SVI on the backbone are known as Layer 3 Routed VLANs. We have called them ‘switched’ VLANs in the past. These are known as Layer 2 end-to-end VLANs as there is no routing involved. It is because of this risk to other units that we are keen to make sure annexe VLANs are tightly managed. That is, a failure in part of the VLAN could impact the entire core. Another term sometimes used is ‘Failure Domain’. This means the CPU of every host (including our core switches) on a VLAN will receive every broadcast from every other host – this is not ideal but the only way we can offer the same subnet at multiple sites in this generation of the backbone. The ‘Broadcast Domain’ stretches over the entire Backbone.
Cisco mac address table drop series#
When you have an annexe VLAN the backbone can be thought of as a series of Layer 2 switches for that VLAN. Yes, this is the same impact you would have if two hosts had the same MAC on your network – there is a reason they need to be unique! What does all this mean? Here is what happened to Host B: Host B#ping 192.168.30.254 Here is the switch mac address table after the clone: 3750-1#show mac address-table dynamic vlan 30 The results? Host B lost connectivity for a few seconds. Next I manually set host A to have the same MAC address as host B (0c2). Host A had an IP of 192.168.30.1 and was on port 1. Total Mac Addresses for this criterion: 3 The hosts could ping each other and the MAC address-table was as follows:ģ750-1#show mac address-table dynamic vlan 30 I configured a switch with three hosts directly connected on VLAN 30.
This isn’t an easy thing to replicate so please forgive the artificial nature of the lab. What happens when B tries to send A a frame now? The switch won’t flood the frame as it knows a destination and it won’t send the frame back down the link – it gets dropped. Host in vlan A is flapping betweenĪnd the MAC address-table would become: Port Host If the switch were to then receive a frame on port 0/2 with a source MAC address of aaaa, there would be clash and the switch would log something like this: 1664321: Nov 14 11:18:16 UTC: %MAC_MOVE-SP-4-NOTIF: When B replies the MAC address table becomes: Port HostĪnd the switch forwards the frame to port 0/1 – there is no need to flood now since the location of A is known. The switch populates it MAC address-table something like: Port HostĪnd floods the frame out of all other ports. Assume A is on port 0/1 and B is on port 0/2. Say a device ‘A’ with MAC (hereafter aaaa) sends a frame to device ‘B’ with MAC address bbbb. Switches learn where hosts are by examining the source MAC address in frames received on a port, and populating its MAC address-table with an entry for that MAC address and port. If this makes no sense, perhaps a quick summary of how switching at layer 2 works will help. A MAC Flap is caused when a switch receives packets from two different interfaces with the same source MAC address.