I'm seeing an awful lot of weird ARP broadcasts:
10:24:02.255006 arp who-has 172.16.100.103 (Broadcast) tell 172.16.100.103I do not use any 172 addresses on this network. The MAC address associated with these broadcasts doesn't show up on any ARP tables... not the switches, not any of the hosts. Is there a way to identify which physical port this traffic is coming from? Switches are Cisco
2970s with IOS 12.2On 10.07.2006 19:26 John Oliver wrote
Apply option -e to your tcpdump?
On 10.07.2006 21:31 Arnold Nipper wrote
Forget about that ...
But what I'm often seeing is that
switch1#sh logging %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0014.a932.xxxx on port FastEthernet2/0/1. (sw011-2)
switch1# sh mac-address-table address 0014.a932.xxxx Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- ----- switch1#
Though these adress is not in switch switch1's address table it gets forwarded to other switches connected to switch switch1
That helped!
sh mac-address-table on both switches reported that the MAC in question was on the interface that I use to trunk the switches together. But sh mac-address-table address xxxx.yyyy.zzzz reported that it was on Gi0/2 on one switch, which goes to our old colo cabinet. So at least I'm not mystified any more... but there are only crappy unmanaged switches in that cabinet. I'll have to drive over to follow up :-)
Thanks!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.