We are experiencing mysterous network problems at the moment and we have numerous systems affected intermittently. The most obvious of which is LDAP.
Anyway during the times of issues we seem to have phontom mac addresses coming up in our wiretraces. We are using the cisco port mirroing monitoring and our wireshark machine is plugged into that port with it’s second nic with no IP associated to that NIC.
Anyway what we are seeing is that traffic destined to the target server from the core switch comes up with the correct destination IP, but the MAC address is wrong and we get lots of “TCP segment of a reassembled PDU” messages coming through at the same time, but from different clientsin to the server with the correct MAC.
We only see this on the core switch not the switch the server is on
It appears we do not have these coming through when we have rx set below on the core switch on the monitor session, but extremely prevelent when we have the tx flag set and they are there when we do not have the rx or the tx set
monitor session 1 source vlan ABC tx
monitor session 1 destination interface Gix/y/z
Are these phantom MACs a red herring
We do not know enough about what is going on, but cetainly they seem to be all over the shoqw when we are having issues