cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3741
Views
10
Helpful
8
Replies
Highlighted

MAC Flapping

Hi,

           Got this log entry, repeated many times:

connectivity between access switches (2950) Firewall (HA) active/passive .pls find attached file

 

.Nov 29 22:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 2 is flapping between port Gi1/0/24 and port Gi1/0/22

.Nov 29 22:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 4 is flapping between port Gi1/0/9 and port Gi1/0/22

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 3 is flapping between port Gi1/0/22 and port Gi1/0/24

.NOv 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 4 is flapping between port Gi1/0/22 and port Gi1/0/9

 

 

2960S-SW2

 

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host 0009.0f09.0003 in vlan 2 is flapping between port Gi1/0/12 and port Gi1/0/24

 

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host 0009.0f09.0003 in vlan 3 is flapping between port Gi1/0/24 and port Gi1/0/10

 

Thanks

 

8 REPLIES 8
Highlighted
VIP Mentor

Hello,

 

this usually indicates some sort of a network loop. What is connected to these three ports ?

Highlighted

Hi,
1)ciscoSw1port9===vlan4(access pot)==DellSw1port45 (access port) (vlan4 stp blk port on ciscosw1-24)

(2)ciscoSw2port12==vlan2(access pot)==DellSw1port48, (access port)



(3)ciscoSw2port9==vlan4(access pot)==DellSw2port45 (access port)

(4)ciscoSw2port10==vlan3(access pot)==DellSw2port48 (access port)

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls HA uses virtual MAC addresses
Thanks

Highlighted
Beginner

Hi,

 

Do you have Access Points connected in those ports?

 

Cheers,

Neo

Highlighted

hi
that your firewall mac flapping so its not legit traffic from a wireless device moving about
that's a Fortinet oui mac when I check it
is there stp changes occurring at l2 ?
Highlighted
Cisco Employee

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls?

 

The switch is reporting that packet with listed source mac address has ingressed on a port, but that the mac address was dynamically learned on a different port. Sometimes this can be a symptom of a switching loop, but not always.

 

I looked at the outputs you attached. It looks like packets with fortinet source mac are coming in from G1/0/9, G1/0/12, and G1/0/10, which connect to the Dell switches. I would recommend checking the Dell switches to make sure they are not participating in a switching loop.

 

 

Highlighted

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls?  HA uses virtual MAC addresses

 

.

 

I looked at the outputs you attached. It looks like packets with fortinet source mac are coming in from G1/0/9, G1/0/12, and G1/0/10, which connect to the Dell switches. I would recommend checking the Dell switches to make sure they are not participating in a switching loop.

Yes not participating in a switching loop (Dell switches are stacking)

(1)ciscoSw1port9===vlan4(access pot)==DellSw1port45 (access port) (vlan4 stp blk port on ciscosw1-24)

(2)ciscoSw2port12==vlan2(access pot)==DellSw1port48, (access port)

 

(3)ciscoSw2port9==vlan4(access pot)==DellSw2port45 (access port)

(4)ciscoSw2port10==vlan3(access pot)==DellSw2port48 (access port)

 

Thanks

 

Highlighted

Thanks for the additional info.

 

I think that Dell switches need to be checked based on what I've seen so far. Ideally we wouldn't want to see a packet from firewall coming back into 2960 switches from the Dell switches. This may mean that somehow packet from firewall is going to Dell switch and then coming back from Dell switch.

 

Maybe you can check if the Dell switches support a mac-move notification? If they can support it, maybe you can turn it on and see if there are any mac flaps on the Dell switches.

Highlighted
VIP Mentor

Hello

 

The reason looks like your access switchports on both sw1 and sw2 going straight into a forwarding state  connecting to the dells switchs and these have become stp root ports for vlan2/3/4 thus are creating the loop.

 

Sw1 has stp root ports for vlans (1-2-3) towards sw2
Sw1 has stp root ports for vlans (4) is port 9

Sw2 has stp root ports for vlans ( 2-3.4) towards the dells (port12 -vlan2, port 10-vlan 3, port 9-vlan4)

Can see what your dells are doing but i am assuming they are completing the loop back to sw1

 

Suggest :
1) set your stp prioritys so the sw1-sw2 are stp primary/secondary
2) apply stp bpduguard on the connecting dell access-ports and remove portfast is need be
3) check you dells switches so that its access-ports dont become trunks

 

res
Paul

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Content for Community-Ad