01-29-2018 08:38 AM - edited 03-08-2019 01:36 PM
Hello,
I am new to the Support Community, I joined to try and get some help resolving an ongoing issue with set of distribution level Cisco Catalyst 3850-24XS switches setup in a ring topology.
Running rapid-pvst and I have verified that the VLANs are in a blocking state on the switch it is configured to. I am however seeing a rather strange MAC flapping event in the logs. Which shows as the following
Jan 29 03:39:41: %SW_MATM-4-MACFLAP_NOTIF: Host 004f.fc00.0000 in vlan 1 is flapping between port Te1/0/1 and port Te1/0/2
Jan 29 03:55:14: %SW_MATM-4-MACFLAP_NOTIF: Host 004f.fc00.0000 in vlan 1 is flapping between port Te1/0/1 and port Te1/0/2
Jan 29 03:58:10: %SW_MATM-4-MACFLAP_NOTIF: Host 0051.3300.0000 in vlan 1 is flapping between port Te1/0/1 and port Te1/0/2
Jan 29 04:00:44: %SW_MATM-4-MACFLAP_NOTIF: Host 0052.a900.0000 in vlan 1 is flapping between port Te1/0/1 and port Te1/0/2
I have tried following the mac-address table to identify the source but I am unable to identify the device, or configuration causing this because of the MAC address format ending in 0000.
Vlan 1 is in a administrative down state, but it seems the trunk ports between the switches were setup using native vlan 1.
Has anyone seen something like this before?
02-21-2018 12:19 PM
Bump. Any help?
02-21-2018 12:37 PM
Hello Thomas,
If I do a vendor lookup on those macs, they don't return anything which is very strange. Have you tried to do a capture for these packets to see what they are? It seems strange that only packets with strange macs are flapping and not "valid" traffic. It is possible the L2 headers of same packets are being corrupted or there is something on your network talking in a non-standard protocol. Either way, I would try to capture these packets to get a better understanding of what is going on.
Hope that helps!
02-21-2018 01:44 PM - edited 02-21-2018 01:47 PM
Hello Thomas,
It's hard to say what exactly is going on without more information. I haven't personally seen this problem before.
Here's what the information you presented is telling me:
If I were troubleshooting the issue, I would check the following outputs:
My goal would be to get a good idea of the current state of STP topology. Which interfaces are supposed be forwarding and which are supposed to be blocking, if any. I would check for any STP instability. Am I getting excessive TCN's? Is one of the interfaces going from blocking to forwarding when it shouldn't?
I would check the trunking status. What vlans we are passing across the trunks. Also, can I see the offending MAC addresses in MAC address table for VLAN 1?
I would also attempt packet capture on ingress of trunks. If it can't capture the desired traffic, then I would attempt to capture on the other end of the link (i.e. from the device connecting to the trunks), and see if I can capture the offending traffic which is being sent towards 3850.
02-21-2018 02:11 PM
Hello Matt,
Thanks for the detailed response.
As you and Bradley mention the MAC addresses do not resolve to a vendor and do not seem like valid addresses. Which is very confusing to me and is not something I have seen before either.
In response to your questions.
I will work to capture the traffic on these ports maybe that will provide some insight here. Also I am not sure if the number of TCN's on the trunks is abnormal or not.
08-25-2021 09:27 PM
I am encountering this exact issue, did you find a resolution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide