Additional MAC addresses learned on Cisco ACI leaf ports for NSX Host Overlay VLAN
search cancel

Additional MAC addresses learned on Cisco ACI leaf ports for NSX Host Overlay VLAN

book

Article ID: 438739

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Cisco ACI leaf ports connected to ESXi hosts learn two MAC addresses on the Host Overlay/TEP VLAN.
  • One MAC address maps to the Host TEP IP address.
  • The second MAC address has no associated IP address in the switch CAM table.
  • The behaviour is inconsistent between different NSX domains.
  • These packets can be captured at an ESXi host, leaving the host, by using the following command pktcap-uw --uplink <vmnic-name> --dir 1 --ethtype 0x8922
    With similar output:

Environment

VMware NSX

Cause

This behavior occurs when Automatic Health Check is enabled within the NSX Transport Zone.
NSX sends Layer 2 probing packets (EtherType 0x8922) every 15 minutes to validate MTU and VLAN accessibility.
These packets use the Virtual/Shadow MAC address of the physical vmnics.
Since these are pure Layer 2 probes, they trigger MAC learning on the physical switch but do not contain IP headers, resulting in a MAC entry without an associated IP.

Resolution

Log in to NSX Manager.

  1. Navigate to System > Fabric > Transport Zones.
  2. Select the Transport Zone and click Health Configuration.
  3. Check the status of Automatic Health Check.
  4. To stop the additional MAC learning, toggle the feature to Off. Note that this will disable the automated MTU and VLAN connectivity path monitoring provided by NSX.

Additional Information

Effects of enabling Automatic Health Check in an environment via NSX

Powered by Wolken Software