Network Engineering Asked by Gngogh on September 30, 2021
I am facing a situation where on the core network I have around 15k MAC addresses, and on the edge switches (Access Layer), I am finding switches with 27k MAC addresses. Access switches are configured to allow one MAC address per interface, and if there is VoIP, two MAC addresses per interface.
Since this is a layer 2 network, I don’t understand why I have more MAC addresses on the Access switches. I was able to find out
that some MAC addresses are on two VLANs at the same time, mainly MAC addresses that belong to VoIP phones, but so far I’m unable to find why this is happening.
Has anyone experienced a similar situation? If so, what was the reason or causes of such situation?
First of all, you shouldn't have so big broadcast domains to have even 15k MAC addresses on access switches. Either separate them by VLANs (with connectivity at L3, with routing), or at least with any kind of traffic segmentation (if the endpoints don't have to communicate with each other).
The problem itself looks like VLAN misconfiguration (or device malfunction) - I guess you don't attach VoIP phones to 802.1q tagged interfaces, but plug them into untagged ports. There are switches that allow to set multiple untagged VLANs on a single port, with the traffic being passed into PVID of that port ...but learning MACs and passing incoming broadcast frames. There are switches that won't allow to disable default VLAN (VID=1) despite using other PVID on the port.
The second cause happening in the wild is a single device malfunction or misconfiguration, effectively "bouncing" (usually broadcast) frames into another VLAN that is available to that device. This happens even without asymetric VLAN configurations and is not a big surprise when it happens on low-cost SOHO devices. Smaller broadcast domains make it easier to pinpoint such misbehaving device, by looking if the specific MAC address doesn't ocasionally pop up on a wrong port of a switch.
The only question you need to ask yourself is - what is the path of the VoIP phone to a different VLAN? How is it leaking? Very easy to check on a one-switch one-phone testbed.
Answered by Tomasz Pala on September 30, 2021
VoIP phones are actually switches, too, if they allow you to connect a PC. Limiting a switch interface to two MAC addresses when using a VoIP phone can be problematic because some VoIP phones use more than one MAC address for themselves (one for the phone itself, and one or two for the switch interfaces), then you have a MAC address for the PC connected to the phone, so it could use three or more MAC addresses on the switch interface.
As a switch, the phone negotiates a trunk to the switch to which it is connected, and a VoIP phone MAC address could appear on more than one VLAN.
Answered by Ron Maupin on September 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP