flapping found on cisco 3850

donnie · ‎07-09-2015

Hi all,

Below is the switch port configuration for all my ports which are not uplink ports.

switchport mode access vlan 2

switchport mode access

storm-control broadcast level 20.00 10.00

storm-control multicast level 20.00 10.00

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

There was an incident where a cable was mistakenly connected to 2ports of the same switch stack, resulting a lot of logs indicating flapping as shown below.

Host aaaa.bbbb.cccc in vlan 2 is flapping between port Gi3/1/4 and port Gi2/1/2.

Since my port is already configured with bpduguard and storm control, why do I still see the above?

TIA!

InayathUlla Sharieff · ‎07-09-2015

BPDUguard and Storm control are not related to this issue.

The issue whic you are reported is expected as the switch reported you saying that the same mac address has been seen from two different ports which is kind of loop and not good at all.

BPDU guard will prevent a port from forwarding the BPDU packets out of its port.

HTH

Regards

Inayath

donnie · ‎07-12-2015

Hi Sharieff,

I missed out the part that my ports are also configured with mac access-list. I did a test and found that if i remove my mac access-list, the bpdu guard works and attempts to connect both ends of a same cable to the same switch would prevent broadcast storm or flapping from happening. How can i still make sure bpdu guard works while still maintaining my mac access-list. TIA!

Madhukrishnan Gopinathan Nair · ‎07-12-2015

Hello Donnie,

Ideally I would think the BPDU guard would have kicked in and err-disabled the port as soon as it identified a BPDU being received. Since you already found that with mac access list being disabled, it works as expected. So could you please share the mac access-list configuration to have a look at it.

Thanks,

Madhu

donnie · ‎07-13-2015

Hi Madhu,

Below as requested

switch(config)# mac access-list testmac_access

switch(config-mac-acl)# permit 00c0.4f00.0000 any

switch(config-if)#mac access-group testmac_access in

TIA!

Madhukrishnan Gopinathan Nair · ‎07-13-2015

Hello Donnie,

Based on the configuration of your mac access-list, you are allowing only 00c0.4f00.0000 as source mac for any frame arriving on this port. So if a frame with any other source mac address arrives on this port, it will be dropped. So by mistake if a port is connected back to another port in the same switch, the switch receives the BPDU send by the remote end. This frame will have a source mac address of the other end port and destination mac of 01:00:0C:CC:CC:CD, but it is dropped before its being processed by the cpu since you are not allowing it on access-list. So you may not see the switch err-disabling the port due to BPDU guard.

This is the only theory I can think of.

Hope this helps and please remember to rate all useful posts.

Thanks,

Madhu.

donnie · ‎07-13-2015

Hi Madhu,

Any way to have the mac access-list and bpdu guard effective at the same time? Thk you.

Madhukrishnan Gopinathan Nair · ‎07-13-2015

I did not get a chance to test it, but to me it may not be possible (not 100% sure)

Thanks,

Madhu.