Hi!

Since quite a long time our 3Com SuperStack-III 3300 Switches are queried
via SNMP for their MAC<->Port table. This is at MIB .1.3.6.1.2.1.17.4.3.1.
Here in the group I found out that this has the name
BRIDGE-MIB::dot1dTpFdbTable.

Ok, there are scripts which read out the tables and reverse the list that
it is sorted by Ports instead of MACs. This can be viewed at an internal
web site.

So far so nice. Today I wanted to find some ports from which I knew the
MACs. Unfortunately, all (!) switches told me that some of MACs are at the
backbone ports (Gigabit Fiber Modules).

Our Topology is as follows:

User
|
[Stack 1] [Stack 2] [Stack 3]
\________/ \________/ <---- backbone.

Stack 1 has 4 switches, Stack 2 and 3 have 3 switches each. The user I
wanted to find is connected to stack 2. This I know for sure.

When I do a snmpwalk over the Stack 2's dot1dTpFdbTable it tells me, that
the MAC address belongs to the interface for the backbone to Stack 1. This
is wrong, because the User is connected to a normal port at Stack 2!

When I ask Stack 1 it tells me that the user is reachable via the backbone
interface to Stack 2. This is correct. Stack 3 btw. doesn't know anything
of that user, seems there has not been traffic between them.

I wanted to search 9 user PCs and only 3 of them have been listed. The
other 6 are "hidded" at the backbone ports.

How can that be, that both stacks "think" that the MAC can be found at the
opposite one? I'm sure the User's PC was on today. The aging time is set
to 1.000.000 seconds (more then 10 days).

BTW: Currently we have a virus epedemy in our network. MSBlaster (and
probably a second one) are sending massively packets to Port 135 and try
to ping. They seem to try every network address they can reach. Counting
from 192.168.0.1 upwards. 192.171.xxx.xxx and higher I've seen. All the
hosts I'm searching have this virus. Is it possible that this traffic or
forged packets are there?

Thanks for your tips!

Bye
Hansi