Switching

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Expand all | Collapse all

Switches flooded with mac learning of invalid addresses

  • 1.  Switches flooded with mac learning of invalid addresses

    Posted 11-17-2023 10:54

    Hello, I'm investigating a problem where I see constant mac learning on many of my access switches (EX2300 and EX3400 series). The mac addresses don't look valid to me, and they are in sequence. They are learned on the uplinks, but when I go to the core switch, which is the next hop in most cases, the core does not see any matches in the ethernet table or in the ARP table. Any ideas how to trace down where these mac addresses are originating?

    Here's a sample of what I'm seeing:

    @EX3400P> show ethernet-switching mac-learning-log 
    Fri Nov 17 15:47:50 2023 vlan_name Staff+7 mac 00:00:01:02:ee:0e was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:51 2023 vlan_name Staff+7 mac 00:00:01:02:29:04 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:51 2023 vlan_name Staff+7 mac 00:00:01:02:ee:0d was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:51 2023 vlan_name Staff+7 mac 00:00:01:02:75:7c was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:51 2023 vlan_name Staff+7 mac 00:00:01:02:96:90 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:51 2023 vlan_name Staff+7 mac 00:00:01:02:ee:0b was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:52 2023 vlan_name Staff+7 mac 00:00:01:02:6f:b6 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:52 2023 vlan_name Staff+7 mac 00:00:01:02:03:8b was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:52 2023 vlan_name Staff+7 mac 00:00:01:02:63:18 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:52 2023 vlan_name Staff+7 mac 00:00:01:02:92:37 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:53 2023 vlan_name Staff+7 mac 00:00:01:02:fc:66 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:53 2023 vlan_name Staff+7 mac 00:00:01:02:53:b2 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:53 2023 vlan_name Staff+7 mac 00:00:01:02:ee:08 was learned on xe-0/2/0.0 with flags: 0x2001f
    Fri Nov 17 15:47:53 2023 vlan_name Staff+7 mac 00:00:01:02:29:02 was learned on xe-0/2/0.0 with flags: 0x2001f



  • 2.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-18-2023 03:15

    What is between the switches ?  a service provider link ?  or a real physical link. 



    ------------------------------
    Simon BinghamSimon Bingham
    ------------------------------



  • 3.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-20-2023 10:28

    The next hop is the core QFX router/distribution. It doesn't see these mac addresses. They are not in the ethernet table or the arp table on the core router.




  • 4.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-18-2023 03:41

    also so would try a  monitor traffic interface xe-0/2/0 , it will only show CPU destined traffic but might give you something.




  • 5.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-18-2023 06:20

    The mac range is assigned to Xerox so if it is not a generated address the source would be hardware from that sphere of products or sub-companies.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-20-2023 10:30

    I noticed that as well, but it doesn't look like the mac addresses are valid. I have not been able to trace them to any real device connected to the network. I can't figure out where they are originating from as they only point at the neighboring switch. Most cases, this is the core, which has no record of them.




  • 7.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-20-2023 14:53

    00:00:01 is a Xerox OUI.  The flags: 0x2001f are related to the mac being learned dynamically.




  • 8.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-20-2023 17:35

    Yeah, 00:00:01 are allocated to Xerox... but that would make a lot of Xerox MACs. Do you have plenty of Xerox printers? :)

    Anyway, as:

    • the leaf EX discovers those MACs on its uplink port (so, this MAC is the Source MAC in received ethernet frames)
    • but the uplink switch doesn't know about those MACs (so, it didn't switch such frames to the switch that learnt them)

    ...it might be possible to think about some kind of memory corruption / buggy JunOS somewhere (and the «00:00:01» wouldn't be meaningful at all in this case).



    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 9.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-21-2023 12:28

    This is what I was thinking as well, I'm just having trouble figuring out which switch it's coming from and how to stop it. I was thinking a firewall rule to capture and block anything that starts with 00:00:01:02 could help. There's nothing valid on my network in that mac range. But I don't know if that's possible.




  • 10.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-21-2023 12:30

    I should also mention that the mystery mac addresses only exist in two VLANs on my network.




  • 11.  RE: Switches flooded with mac learning of invalid addresses

    Posted 11-21-2023 03:45
    Edited by Simon Bingham (technical debt collector) 11-21-2023 03:47

    People are mentioning Xerox but don't forget Xerox invented ethernet.  If there is no ISP in the middle here is got to be a Juniper / Broadcom issue. 

    The fact these are literally the first OUIs  allocated, makes me think these are something used internally in the chipset. ( just a guess ) 

    ------------------------------
    JNCIE-ENT 907
    ------------------------------