That is likely because either VLAN tagging was turned on by default in TOS3.x or a lot users turned it on and therefore routed Lan traffic through the CPU anyway
and that is what
is replicating.
A a better solution of course would be if DSA or bridge driver would communicate with the switch’s ATU with updates of MAC address on upstream ports.