A server admin reported abnornally high traffic on one of his windows 2008 machines (1.1.1.9). A wireshark capture shows a TMG server on the network (1.1.1.1) sending packets destined to 1.1.1.2. 1.1.1.2 is a Microsoft NLB VIP. The ex4200 switch has a static multicast MAC arp entry associating 1.1.1.2 with MAC 03:bf:0a:1d:5a:45. 1.1.1.9 is not part of the NLB cluster and has no association with it.
I'm at a loss to know why these packets are arriving a a device for which they arent intended. At an IP level they are unicast packets. The MAC of 1.1.1.9, according to all the machine's arp caches, has nothing to do with the packets details.
My understanding of multicast and its use in NLB is minimal, but i cant see why this traffic would be appearing on machines its not intended for. Any ideas