cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
119309
Views
37
Helpful
9
Replies

Host Flapping between ports fix?

ahmad82pkn
Level 3
Level 3

Hi, in our network we have few hubs connected, some time if any end user connects two ports of hub with any tail Cisco switch ( in normal only one port from hub should be connected to Cisco switch) we see host MAC address flapping alerts like this.

Oct  3 12:49:05.656: %SW_MATM-4-MACFLAP_NOTIF: Host f04d.a206.7fd6 in vlan 1 is flapping between port Gi0/16 and port Gi0/5

Oct  3 12:49:15.941: %SW_MATM-4-MACFLAP_NOTIF: Host f04d.a206.7fd6 in vlan 1 is flapping between port Gi0/5 and port Gi0/16

Oct  3 12:49:32.886: %SW_MATM-4-MACFLAP_NOTIF: Host f04d.a206.7fd6 in vlan 1 is flapping between port Gi0/16 and port Gi0/5

Oct  3 12:49:51.928: %SW_MATM-4-MACFLAP_NOTIF: Host f04d.a206.7fd6 in vlan 1 is flapping between port Gi0/16 and port Gi0/5

Oct  3 12:50:36.304: %SW_MATM-4-MACFLAP_NOTIF: Host 000c.29bc.f02f in vlan 1 is flapping between port Gi0/23 and port Gi0/16

Is there any way i can prevent it from happening again ? this sort of loop causes network slowness and some time phones logout issues in center.

9 Replies 9

Arumugam Muthaiah
Cisco Employee
Cisco Employee

Hi,

A MAC Flap is caused when a switch receives packets from two different interfaces with the same source MAC address. If you are getting the behaviour for a lot of other MACs, that most likely is a layer 2 loop.

  • Check the network switches for misconfigurations that might cause a data-forwarding loop.
  • If you aren't running spanning-tree, turn it on.
  • To track down a loop, you start with the #show mac-address-table address [flapping mac] command
  • We see that the MAC is coming in on port gi0/5 and gi0/16. One port will lead us to where that MAC is plugged in and the other will lead us to the loop. Pick a port and start working through.
  • Or Some load balancing techniques can send traffic to both ports, and that would cause the switch to go crazy, since it is receiving traffic from the same MAC on two or more different ports.
  • Fix this type of LB make it active/standby or make sure the server uses 2 different mac addresses, one per NIC

Regards,

Aru

*** Please rate if the post is useful ***

Regards, Aru *** Please rate if the post useful ***

Hi, Arumugam,

i have find out the cause of the issue already. i know why this happened,and i have tracked down some one mistakenly connected 2nd port of the wireless hub with Cisco switch as well, although first port of hub was already connected to cisco switch.

so a wireless hub with 2 cables connected to cisco switch caused the issue.

now my concern is how i can avoid it in future, if someone makes this mistake again?

is there any port level configuration, i can do to avoid it?

Hi,

You can use port-security feature to avoid such kind of this issues,

Use the switchport port-security interface configuration command without keywords to enable port security on the interface. Use the keywords to configure secure MAC addresses, sticky MAC address learning, a maximum number of secure MAC addresses, or the violation mode.

Use the no form of this command to disable port security or to set the parameters to their default states.

switchport port-security [aging] [violation {protect | restrict | shutdown | shutdown vlan}]

violation - (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown

protect - Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

restrict - Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

shutdown - Set the security violation shutdown mode. In this mode, the interface is error-disabled when a violation occurs and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.

Regards,

Aru

*** Please rate if the post is useful ***

Regards, Aru *** Please rate if the post useful ***

ALIAOF_
Level 6
Level 6

You should not allow hubs in your network especially this day and age.

Secondly end users should not be allowed to connect hubs to the switches

Third you can just disable all the unused ports on the switches as a best practice so even if a user connects two ports for whatever reason it will not have any effect.

Yes agree with your point, i am actually looking after 4 dozen remote sites, and they have justification like we have wiring issues in this room and more user need to be seated and we have no options bla bla. so i have to live with it.

i can shut unused ports, but since many people at sites are laptop users, so any time of day there will be open ports for sure and so chance of this happening again.

i guess there is no one way rule to fix this, just initiated this thread, to see if someone has done some magestic work around on this.

thank you both of oyu for the input so far.

Hi,

Assuming your running Spanning-Tree.

Are you able to turn BPDU guard on your access ports ?  This would have error disabled the port in question preventing the loop.

A better explanation

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

Cheers

David

Other than BPDU guard you can also setup ports with port security and only allow a single MAC through it.  Set the violation to shut down the port.  So if someone connects a switch and that port sees multiple MAC's it will shut down the port.

How about setting up wireless for the laptop users?

ahmad82pkn
Level 3
Level 3

Thank you all of you, i will try these options. i had them in my check list and was hoping to explore more options.

but these are enough to get this fixed.

Let me gig on starting with gathering all Hubs information first. and then only allowing them for multiple MAC and restrict others with more than 2 mac, since PC+Phone both connect with single port.

Hi Guys,

 

In my context, how should I process in case of flapping mac address on two router interfaces?

 

flapping.png

 

Thanks!

Review Cisco Networking for a $25 gift card