Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10513
Views
0
Helpful
3
Replies

Basic troubleshooting Loop in L2 network by wireshark

daneth.mean
Level 1
Level 1

‎05-10-2011 02:37 AM - edited ‎03-06-2019 04:58 PM

Dear All,

I have been noticed that my LAN always get flapping MAC and now i found there are some device like TP link router has clone MAC enable with default factory and sometime it make flapping or looping from 2 differrent customers.

But anyway i would like to ask all of your help about this issue, is there any way to investigate such issue by wireshark to capure it.

It would be great if you can provide basic how to troubleshooting Loop network by wireshart.

May 10 15:59:07: %SW_MATM-4-MACFLAP_NOTIF: Host 74ea.3afc.0c0e in vlan 204 is flapping between port Gi0/26 and port Gi0/9
May 10 15:59:25: %SW_MATM-4-MACFLAP_NOTIF: Host 74ea.3afc.0c0e in vlan 204 is flapping between port Gi0/9 and port Gi0/12
May 10 15:59:37: %SW_MATM-4-MACFLAP_NOTIF: Host 74ea.3afc.0c0e in vlan 204 is flapping between port Gi0/12 and port Gi0/26
May 10 16:18:09: %SW_MATM-4-MACFLAP_NOTIF: Host 74ea.3afc.0c0e in vlan 204 is flapping between port Gi0/12 and port Gi0/9

Best Regards,

Danet

Labels:
0 Helpful
3 Replies 3

Antonio Knox
Level 7
Level 7

‎05-10-2011 04:55 AM

If what you want is to view the traffic between two ports, you can create a SPAN session which will mirror traffic between (in your case) the two ports in a given flap notification (or you can mirror all ports and filter the output at wireshark, your call).  At any rate the configuration is simple enough that you should be up and running in just a few minutes:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

You shouldn't have to worry about the IOS version.  These commands are (for the most part) universal across platforms.

Hope that helps.

0 Helpful

daneth.mean
Level 1
Level 1
In response to Antonio Knox

‎05-11-2011 08:00 PM

Dear Antonio,

I really appreciate your reply and i have set up span to capture with wireshark but i feel difficult to find where is the souce device or souce mac device which caused this issue.

Could you please provice very basic on this troubleshooting.

Best Regards,

Danet

0 Helpful

Antonio Knox
Level 7
Level 7
In response to daneth.mean

‎05-12-2011 04:58 AM

According to the logs, 74ea.3afc.0c0e seems to be your problem child, if his mac is appearing on multiple interfaces I suspect a loop as you do.  You can track down the mac address location using:

Switch# show mac-address address 74ea.3afc.0c0e

Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
*  10   74ea.3afc.0c0e   dynamic  Yes         30   Fa0/1

This will show you the port where you can find the mac-address in question, going from switch to switch if you need to based on the port information you're given from this command.  You can pretty much track down the mac-address all the way the the actual port where the device is connected using this command.

Let me know if you need more assistance.

0 Helpful
Customers Also Viewed These Support Documents