Cisco ACI Reports SSP IP's Detected on Multiple MAC Addresses
search cancel

Cisco ACI Reports SSP IP's Detected on Multiple MAC Addresses

book

Article ID: 424048

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Cisco ACI reports alerts indicating that the same IP address is detected on multiple MAC addresses.

“The IP address has been detected on multiple MAC addresses. This may indicate a duplicate IP configuration on external devices or endpoints.”

 

From vCenter:

  • The SSPi VM is configured with a single vNIC.
  • No NIC teaming or duplicate IP configuration is present.
  • Portgroup security settings (forged transmits, MAC changes, promiscuous mode) are correctly configured.

Environment

SSP 5.x

Cause

This behavior is expected by design in Kubernetes environments using Antrea CNI.

  • The SSPi management VM hosts a Kubernetes node.
  • The physical interface (eth0) holds the node IP address.
  • Antrea CNI dynamically creates:
        Virtual interfaces (veth pairs
        Gateway interfaces (e.g., antrea-gw0)
        Overlay tunnel interfaces (Geneve)

  • These interfaces are used to route:
       Pod-to-pod traffic
       Pod-to-external traffic

During this process, traffic may be sourced using the same node IP but through different internal interfaces with distinct MAC addresses.

Cisco ACI detects this behavior at the fabric level and reports it as the same IP being learned from multiple MAC addresses. This does not indicate an IP conflict or misconfiguration at the VM or vCenter level.

Resolution

No corrective action is required on SSP or vCenter.

This behavior is normal and expected for Kubernetes-based management clusters using Antrea CNI.

Additional Information

This behavior is not limited to the SSP VM only

It also applies to Node Pool IP range : Control Plane (CP) nodes and Worker Nodes



Sample output of a CP node :

 

ifconfig -a

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.x.x.x  netmask 255.255.255.0
        ether 00:50:56:aa:bb:cc
        RX packets 169830170  TX packets 149102643

antrea-gw0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.x.x.x  netmask 255.255.255.0
        ether 72:01:6b:79:eb:b3
        RX packets 3964363  TX packets 4704741

genev_sys_6081: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 65000
        ether 32:f5:da:a6:9c:1c
        RX packets 9819790  TX packets 10015439

antrea-egress0: flags=130<BROADCAST,NOARP>  mtu 1500
        ether d2:6c:38:d8:8b:1b

ovs-system: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 3e:08:6f:f1:f1:16

coredns-* (veth): flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        ether 2e:06:f3:16:1e:71

cert-manager-* (veth): flags=4163<UP,BROADCAST,RUNNING,MULTICAST>
        ether 4a:e1:c1:73:a0:97

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1
Powered by Wolken Software