Symptom

ARP requests and other Layer 2 traffic with a broadcast destination address is NOT flooded to all ports on the same VLAN. In addition to that, the following message may be seen on the device logs: %MTM-SLOT3-2-MULTICAST_SOURCE_MAC_LEARNT: Inserted dynamically learnt multicast source mac ff:ff:ff:ff:ff:ff! The above message may not be seen in all cases though. The best way to verify is to see if the broadcast mac is learned in the mac table: N7K# sh hardware mac address-table | i ffff Replace with the module number of the F2 card

Conditions

Upon receiving a Layer 2 frame with a broadcast source address (FFFF.FFFF.FFFF), the F2 line card will learn and add this address to its hardware table. Having this entry on the hardware table, Layer 2 traffic with a broadcast destination address (such as ARP requests) will be dropped on the Nexus 7000 device because the ingress controller fails to flood it to the broadcast domain.

Workaround

Clear the entry from the dynamic MAC address table by executing the following command from a privileged EXEC prompt: clear mac address dynamic address ffff.ffff.ffff vlan x Replace ''x'' with the appropriate VLAN number. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-3048 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Further Problem Description