3

The network in question:
It is a fully switched network with no routing. There is no known RSPT problems.

There are 10 small switches. Each small switch has many small industrial devices talking to each other within that small switch.

There is 1 big switch that connects to all 10 small switches. The big switch also connect to computers that occasionally talk to a device or two in one of the small-switch network.

the entire network is one giant IP network with the same subnet, subnet mask, no default gateway.

The problem: 2 small switches, one has device A connected, the other has device B connected. unfortunately, A and B both has the same Mac address, a strange Mac address as well: 00:ba:d0:0b:ad:00 "bad bad"

Now, after wireshark a computer connected to the big switch, I can see the traffics of devices talking to A or devices talking to B, which should be confined within their small switches:

Ethernet II, Src: GeFanucA_02:9f:d0 (00:09:91:02:9f:d0), Dst: 00:ba:d0:0b:ad:00 (00:ba:d0:0b:ad:00)

It is also observed that, packet from "bad bad" to GeFanucA_02:9f:d0 (00:09:91:02:9f:d0) is a normal unicast and "bad bad" can recieve it. So in the two way communication, only one way's traffic is flooded, the other way is still unicast.

Question: The reason for unicast flooding is due to small switch realizing the MAC address is "bad"? or it is due to duplicated mac address so that small switches are not quite sure where to send the frame, so it just broadcasted? Or is this flooding due to something else?

PS. after Joeqwerty's answer below, confirming that, duplicated mac address has caused the flooding, I went back to all small switches and look at their "Mac Address Table". Apparently there are 3 devices sharing the same MAC address, A B and C. Apparently C's small switch happily accepted "BAD BAD" mac address and kept the traffic unicast. A and B's switches decided to flood.

What exact mechanism caused this? A and B's switches should NOT be aware of any "BAD BAD" on another switch.

ugn
  • 31
  • 4

1 Answers1

3

As you correctly surmised, this is flooding, not broadcasting. If two devices have the same MAC address then I would expect to see this happening. You need to remove these two devices from the network and figure out why they have duplicate MAC addresses.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thank you, just to confirm, "bad: bad" mac address will NOT register in any switch as invalid or unknown. So, if only one of A or B is removed, the flooding should stop. – ugn May 07 '19 at 18:35
  • It should, but you should investigate both devices to figure out why they are doing this. – joeqwerty May 07 '19 at 18:46
  • Thanks, shamefully, we do know the reason, someone didn't configure them properly, the device manufacture had the precient to alert to users that the device not configured properly by giving "bad bad" mac address to those devices. I just did not know Mac duplication could cause flooding. – ugn May 07 '19 at 19:07
  • just to follow up, what's the exact mechanism that caused A's switch and B's switch to NOT learn their local "bad bad" MAC? because C's switch learnt C's "bad bad" MAC. Does STP has anything to do with this? – ugn May 08 '19 at 15:54
  • update, "bad bad" MAC may not be the reason, and it may not be flooding either... this may be a "switch served as router when putting things on to the trunk port" – ugn May 08 '19 at 19:25
  • I have enough rep to upvote, but this is NOT the correct answer. – ugn May 09 '19 at 20:25
  • If it isn't then don't accept it as the answer. Wait and see if someone else chimes in and posts an answer for you. There's no rush to accept an answer. Someone else may have some better insight into the problem. – joeqwerty May 09 '19 at 21:05
  • 1
    just a personal note that, it is not that your answer is not correct for what I have stated. it is more because I didn't state the whole thing. – ugn May 10 '19 at 00:25
  • Understood. Hopefully someone else will weigh in. – joeqwerty May 10 '19 at 01:05