show arp | in 78da.6e09.f3bf
.. Check for Vlan and port-channel number.
- Port-channel number--Check the interfaces which are part of port-channel.
-- Then check to which switch those interfaces are connected to---
-- this way you need to go to the end of the leaf node untill you find the mac address (78da.6e09.f3bf).

Tried as per above suggestion , but still above MAC is learning via Port-channel or port members of this port channel.I am not able to find the end user port from where this MAC is learning.

Also this mac is showing as hardware address 

sh int po12 | in 78da.6e09.f3bf
  Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

sh int vl20 | in 78da.6e09.f3bf
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
cz2r2-users#

sh int gi3/3 | in  78da.6e09.f3bf
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

Hi,

Can you do:

- show mac-address-table | in 78da.6e09.f3bf (or show mac address-table | in 78da.6e09.f3bf )

- Look at the given ports

- Follow the previously given steps from insharie

"- Then check to which switch those interfaces are connected to---
- this way you need to go to the end of the leaf node untill you find the mac address (78da.6e09.f3bf)."

Kind regards,

- Ed

It is local to this switch

show mac address-table | in 78da.6e09.f3bf
  10      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
  20      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
Po12      78da.6e09.f3bf    static ip,ipx,assigned,other Switch                     
Po13      78da.6e09.f3bf    static ip,ipx,assigned,other Switch 

other 2 user switches showing similar behavior  which are connected to core switch via port channels.not able to find this MAC in any other switch

Can you provide "show interface | in GigabitEthernet|78da.6e09.f3bf ", please?

I would like to assume port Gi3/3 owns the authentic BIA mac address per your feedback but I want to assure it.

sh int gi3/3 | in  78da.6e09.f3bf
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

Every time the issue occurs, the MAC address table should be learning two ports for the same MAC address. One may lead to the authentic port, whereas the other may lead to the source of the loop or an end node. The latter, by following the procedure mentioned by Inayath.

Hi,

show interface | in GigabitEthernet|78da.6e09.f3bf

TenGigabitEthernet3/1 is administratively down, line protocol is down (disabled) 
  Hardware is Ten Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
TenGigabitEthernet3/2 is administratively down, line protocol is down (disabled) 
  Hardware is Ten Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/3 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/4 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/5 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet3/6 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet Port, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
GigabitEthernet5/1 is down, line protocol is down (notconnect) 
GigabitEthernet5/2 is up, line protocol is up (connected) 

 Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is EtherChannel, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)
  Hardware is Ethernet SVI, address is 78da.6e09.f3bf (bia 78da.6e09.f3bf)

removed other ports up down from above output.

hmm..interesting. I see you have already open the TAC case for this...probably we will work on the TAC case to see if we are hitting any bug or known issue.

HTH

Regards

Inayath

Yes , i was just checking on forum if anybody came across similar issue 

Are your PortChannels "on" or negotiated?  It sounds like the sort of thing that can happen when one end of a link thinks it has a PortChannel and the other end does not.

Kevin Dorrell
Luxembourg

Hi Inayath,

Thanks for reply.

All the ports showing in logs are end user port , there is no cisco device in sh cdp ne , 

SH MAC ADDress-table INT GI5/2 

Multicast Entries
 vlan      mac address     type    ports
---------+---------------+-------+--------------------------------------------
  10      ffff.ffff.ffff   system Gi1/7,Gi1/9,Gi1/11,Gi1/22,Gi1/33,Gi1/47
                                  Gi2/7,Gi2/13,Gi2/15,Gi2/20,Gi2/29,Gi2/31
                                  Gi2/33,Gi2/37,Gi2/46,Gi2/48,Gi5/2,Gi5/24
                                  Gi5/28,Gi5/32,Gi5/34,Gi5/35,Gi5/37,Gi5/38
                                  Gi5/39,Gi5/40,Gi5/41,Gi5/42,Gi5/43,Gi5/44
                                  Gi5/47,Gi5/48,Gi6/2,Gi6/3,Gi6/4,Gi6/5,Gi6/6
                                  Gi6/11,Gi6/13,Gi6/15,Gi6/17,Gi6/19,Gi6/21
                                  Gi6/23,Gi6/29,Switch
  20      ffff.ffff.ffff   system Gi1/7,Gi1/9,Gi1/11,Gi1/22,Gi1/33,Gi1/47
                                  Gi2/7,Gi2/13,Gi2/15,Gi2/20,Gi2/29,Gi2/31
                                  Gi2/33,Gi2/37,Gi2/46,Gi2/48,Gi5/2,Gi5/24
                                  Gi5/28,Gi5/32,Gi5/34,Gi5/35,Gi5/37,Gi5/38
                                  Gi5/39,Gi5/40,Gi5/41,Gi5/42,Gi5/43,Gi5/44
                                  Gi5/47,Gi5/48,Gi6/2,Gi6/3,Gi6/4,Gi6/5,Gi6/6
                                  Gi6/11,Gi6/13,Gi6/15,Gi6/17,Gi6/19,Gi6/21
                                  Gi6/23,Gi6/29,Switch

GI5/2 is up , but not sure why not showing the Source MAC .

we are receiving these logs in all 4 LAN switches.