--- On Thu, 4/19/12, ryanL <ryan.lan...@gmail.com> wrote: > From: ryanL <ryan.lan...@gmail.com> > Subject: Re: [c-nsp] mac flapping on 6509 between core and fwsm > To: "Randy" <randy_94...@yahoo.com> > Cc: "Mario Ruiz" <mruiz...@gmail.com>, cisco-nsp@puck.nether.net > Date: Thursday, April 19, 2012, 6:58 PM > On Thu, Apr 19, 2012 at 5:54 PM, > Randy <randy_94...@yahoo.com> > wrote: > > --- On Thu, 4/19/12, Mario Ruiz <mruiz...@gmail.com> > wrote: > > > > > Who is reporting the mac-flaps - the 6509 with fwsm OR > fwsm itself? > > > > it appears that you are seeing it on the 6509 that has > the fwsm? > > > > if that is the case, the an arp-reply from host at > 0024.f716.5142 is being seen via po30 and po579. > > > > Why do you have po30 on the same vlan as fwsm's outside > int? > > > > Can you post relevant portions of the config? > > ./Randy > > the 6509 is basically our services layer. data center stuff. > it has > .1q trunks to the cores, where the cores in-turn pick up a > .1q tag for > the L3 subinterface. in this example, vl1250. vrrp is used > between the > two cores via the 6509. the 6509 also has .1q trunks to our > back-end > routers. in this example, vl1251. the back-end routers do > hsrp. the > fwsm in the 6509 bridges vl1250 and vl1251 in order to do > transparent > firewalling. pretty standard. vl1250 is outside, vl1251 is > inside. > > the 6509 is what is reporting the mac move, seeing it show > up > correctly on the uplink port to the core, and then seeing it > show up > incorrectly on the internal ec for the fwsm. the mac is the > physical > address of the core subint. > > i'm wondering if the fwsm is doing some sort of "random" > gratuitous or > proxy arp. the fwsm, which essentially participates, sees > the correct > mac as an arp entry. > > fwsm1/<context removed># sh arp > outside <ip removed> > 0024.f716.5142 > > i seem to have stopped the mac move messages by doing the > following > towards my cores (on the 6509). > > mac-address-table static 0024.f716.3242 vlan 1250 interface > Port-channel40 > mac-address-table static 0024.f716.5142 vlan 1250 interface > Port-channel30 > > not sure what, if anything, yet, that i'm breaking by doing > this. > > .rL
Yes! it fixed you issue because of the static-L2-entries you put in place. It has not fixed the underlying-cause! What you were seeing is not related to proxy-arp OR Gratuitous-Arp(that is an un-solicited "response" per-se) If you wish to get to the bottom of this, feel free to post off-line. ./Randy _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/