cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1047
Views
0
Helpful
11
Replies
Highlighted
Beginner

Incorrect MAC logs in 4507 Switches ,

Sep  1 20:13:11: %C4K_IOSINTF-5-INCORRECTSRCMAC: Source mac (78da.6e09.f3bf) in the packet matches the source mac of the router on interface Gi5/2
Sep  1 20:13:15: %C4K_IOSINTF-5-INCORRECTSRCMAC: Source mac (78da.6e09.f3bf) in the packet matches the source mac of the router on interface Gi5/2
Sep  1 20:22:22: %C4K_IOSINTF-5-INCORRECTSRCMAC: Source mac (78da.6e09.f3bf) in the packet matches the source mac of the router on interface Gi5/2

Above logs observed in user connected 4 switches , its changing ports after some interval of times.Can somebody help what may be the issue ?

if i use sh ip arp | in  78da.6e09.f3bf , getting VLAN & Port-channel IP

11 REPLIES 11
Highlighted
Cisco Employee

%C4K_IOSINTF-5-INCORRECTSRCMAC: Source mac ([mac-addr]) in the packet
matches the source mac of the router/VRRP/HSRP mac on interface [char]

The client that is authenticating has a reserved source MAC address. This
can occur when a client MAC address is misconfigured, or when the system is
under attack.

Recommended Action: Block the MAC address and investigate the source device.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search
<https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&
counter=0&paging=5&links=reference&index=all&query=%25C4K_IOSINTF-5-INCORREC
TSRCMAC>
&counter=0&paging=5&links=reference&index=all&query=%25C4K_IOSINTF-5-INCORRE
CTSRCMAC:
 
This could due to a loop in the network. The issue needs to be troubleshoot
it when it is happening in order to find what is causing the loop on the
network. 

 Kindly provide  a "show cdp neigh g5/2" for the ports showing the errors
and a "show mac address-table interface gi5/2" of the ports showing the
error.

 

HTH

Inayath

Highlighted

 

show arp | in 78da.6e09.f3bf
.. Check for Vlan and port-channel number.
- Port-channel number--Check the interfaces which are part of port-channel.
-- Then check to which switch those interfaces are connected to---
-- this way you need to go to the end of the leaf node untill you find the mac address (78da.6e09.f3bf).

Highlighted

Tried as per above suggestion , but still above MAC is learning via Port-channel or port members of this port channel.I am not able to find the end user port from where this MAC is learning.

Also this mac is showing as hardware address 

 

sh int po12 | in 78da.6e09.f3bf
  Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

sh int vl20 | in 78da.6e09.f3bf
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
cz2r2-users#

sh int gi3/3 | in  78da.6e09.f3bf
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

Highlighted

Hi,

Can you do:

- show mac-address-table | in 78da.6e09.f3bf (or show mac address-table | in 78da.6e09.f3bf )

- Look at the given ports

- Follow the previously given steps from insharie


"- Then check to which switch those interfaces are connected to---
- this way you need to go to the end of the leaf node untill you find the mac address (78da.6e09.f3bf)."

 

Kind regards,

- Ed

Highlighted

It is local to this switch

show mac address-table | in 78da.6e09.f3bf
  10      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
  20      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
Po12      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
Po13      78da.6e09.f3bf    static ip,ipx,assigned,other Switch 

other 2 user switches showing similar behavior  which are connected to core switch via port channels.not able to find this MAC in any other switch

Highlighted

Can you provide "show interface | in GigabitEthernet|78da.6e09.f3bf ", please?

I would like to assume port Gi3/3 owns the authentic BIA mac address per your feedback but I want to assure it.

sh int gi3/3 | in  78da.6e09.f3bf
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

Every time the issue occurs, the MAC address table should be learning two ports for the same MAC address. One may lead to the authentic port, whereas the other may lead to the source of the loop or an end node. The latter, by following the procedure mentioned by Inayath.

Highlighted

Hi,

show interface | in GigabitEthernet|78da.6e09.f3bf


TenGigabitEthernet3/1 is administratively down, line protocol is down (disabled) 
  Hardware is Ten Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
TenGigabitEthernet3/2 is administratively down, line protocol is down (disabled) 
  Hardware is Ten Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/3 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/4 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/5 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/6 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet5/1 is down, line protocol is down (notconnect) 
GigabitEthernet5/2 is up, line protocol is up (connected) 

 Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

removed other ports up down from above output.

 

Highlighted

hmm..interesting. I see you have already open the TAC case for this...probably we will work on the TAC case to see if we are hitting any bug or known issue.

 

HTH

Regards

Inayath

Highlighted

Yes , i was just checking on forum if anybody came across similar issue 

Highlighted

Are your PortChannels "on" or negotiated?  It sounds like the sort of thing that can happen when one end of a link thinks it has a PortChannel and the other end does not.

 

Kevin Dorrell
Luxembourg

Highlighted

Hi Inayath,

Thanks for reply.

All the ports showing in logs are end user port , there is no cisco device in sh cdp ne , 

 

SH MAC ADDress-table INT GI5/2 


Multicast Entries
 vlan      mac address     type    ports
---------+---------------+-------+--------------------------------------------
  10      ffff.ffff.ffff   system Gi1/7,Gi1/9,Gi1/11,Gi1/22,Gi1/33,Gi1/47
                                  Gi2/7,Gi2/13,Gi2/15,Gi2/20,Gi2/29,Gi2/31
                                  Gi2/33,Gi2/37,Gi2/46,Gi2/48,Gi5/2,Gi5/24
                                  Gi5/28,Gi5/32,Gi5/34,Gi5/35,Gi5/37,Gi5/38
                                  Gi5/39,Gi5/40,Gi5/41,Gi5/42,Gi5/43,Gi5/44
                                  Gi5/47,Gi5/48,Gi6/2,Gi6/3,Gi6/4,Gi6/5,Gi6/6
                                  Gi6/11,Gi6/13,Gi6/15,Gi6/17,Gi6/19,Gi6/21
                                  Gi6/23,Gi6/29,Switch
  20      ffff.ffff.ffff   system Gi1/7,Gi1/9,Gi1/11,Gi1/22,Gi1/33,Gi1/47
                                  Gi2/7,Gi2/13,Gi2/15,Gi2/20,Gi2/29,Gi2/31
                                  Gi2/33,Gi2/37,Gi2/46,Gi2/48,Gi5/2,Gi5/24
                                  Gi5/28,Gi5/32,Gi5/34,Gi5/35,Gi5/37,Gi5/38
                                  Gi5/39,Gi5/40,Gi5/41,Gi5/42,Gi5/43,Gi5/44
                                  Gi5/47,Gi5/48,Gi6/2,Gi6/3,Gi6/4,Gi6/5,Gi6/6
                                  Gi6/11,Gi6/13,Gi6/15,Gi6/17,Gi6/19,Gi6/21
                                  Gi6/23,Gi6/29,Switch

GI5/2 is up , but not sure why not showing the Source MAC .

we are receiving these logs in all 4 LAN switches.

 

Content for Community-Ad