General suggestion : (Please refer to the appropriate AOS CLI Reference Guide for exact syntax)
It sounds like we're interested in identifying the ingress 'port' of the SRC_MAC ?
On the controller/MD/BGW:
The datapath has built in firewall traffic thresholds (see "show firewall | inc Rate"), if these are policing, a great indication of potential problems.
show datapath bwm
show datapath debug dma (ideally counts are zero)
show datapath cp-bwm table
If IGMP is enabled on the controller VLAN:
show ip igmp group, then "show ip igmp group maddr x.x.x.x"
(this is the L2 MAC forward table) - should reveal where the SRC_MAC is learned/ingressing.
show datapath bridge
show datapath frame spoofed-macs
If one has an idea of the actual traffic being, or to be sent - packet-capture at the controller is helpful. (see CLI Reference guide 'packet-capture'.
------------------------------
Shawn Adams
------------------------------
Original Message:
Sent: Aug 22, 2024 02:16 PM
From: Flaquito
Subject: Help tracking down traffic problematic traffic
We recently had a problem show up where some broadcast traffic (DHCP, ARP, and IGMP) is being sent from our router's MAC address to the ethernet broadcast address, but not from our router, and only on one single VLAN. I used switch logs and MAC tables to track the traffic to one of our wireless controllers, but am struggling to track it further than that. We have a cluster of two 7220 controllers. The controllers don't seem to have any comprehensive MAC address table, and the router's MAC isn't showing up as a client. How can I figure out what the actual source of this unwanted traffic is?