Network flooding without ff-ff-ff-ff-ff-ff (layer 2 broadcast) MAC address in destination?

Question

It appears that a switch is sending the same traffic to all ports in a VLAN:

• In a Wireshark capture on host 192.168.0.10 with MAC aaaa.aaaa.aaaa I see packets with MAC destination bbbb.bbbb.bbbb and Destination IP 192.168.0.20

ARP table on the switch contains a correct entry for 192.168.0.20, listing MAC of bbbb.bbbb.bbbb. The mac address-table entries, however, are missing bbbb.bbbb.bbbb.

After restarting the device, the MAC address table entry gets re-created.

EDIT: Whilst this 'flooding' (is this actually flooding?) is happening, the device 192.168.0.20 continues to function well on the network! It is successfully transferring data. This is an important point: the device with MAC bbbb.bbbb.bbbb continues to send frames with source MAC bbbb.bbbb.bbbb to the switch. The switch is meant to save that MAC into its mac address table. But it doesn't!

What behaviour are we seeing here? Isn't the switch meant to flood the packets with destination MAC ffff.ffff.ffff, forcing the clients to read the packet contents to see if they are meant for them?

Also, I would greatly appreciate any advice on what other checks I can perform.

Answer 1

The mac address-table entries, however, are missing bbbb.bbbb.bbbb.

That is how a self-learning bridge works: it learns the location of nodes by the frames' source addresses and then forwards frames by the destination address based on the learned table.

If the node in question has never send a frame, the bridge/switch cannot know its location and subsequently floods frames with that destination out of all its ports, mimicking a repeater hub.

But in no case does a switch alter an unknown destination address in a frame to the broadcast address. (The only thing an L2 switch potentially changes in a frame is the 802.1Q tag.) The point is that the "unknown" MAC continues to function normally, even if the whole network is polluted with frames addressed for that node.

You should make sure that the node in question sends out a frame after link-up (or before it is eventually aged out), populating the switch's MAC address table (a link-down usually clears the addresses on that port). Some switches can also be configured for static MAC-port combinations, consult the manual.