cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4859
Views
10
Helpful
8
Replies

MAC Flapping

Hi,

           Got this log entry, repeated many times:

connectivity between access switches (2950) Firewall (HA) active/passive .pls find attached file

 

.Nov 29 22:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 2 is flapping between port Gi1/0/24 and port Gi1/0/22

.Nov 29 22:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 4 is flapping between port Gi1/0/9 and port Gi1/0/22

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 3 is flapping between port Gi1/0/22 and port Gi1/0/24

.NOv 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host xxx9.xx09.0003 in vlan 4 is flapping between port Gi1/0/22 and port Gi1/0/9

 

 

2960S-SW2

 

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host 0009.0f09.0003 in vlan 2 is flapping between port Gi1/0/12 and port Gi1/0/24

 

.Nov 29 23:: %SW_MATM-4-MACFLAP_NOTIF: Host 0009.0f09.0003 in vlan 3 is flapping between port Gi1/0/24 and port Gi1/0/10

 

Thanks

 

8 Replies 8

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

this usually indicates some sort of a network loop. What is connected to these three ports ?

Hi,
1)ciscoSw1port9===vlan4(access pot)==DellSw1port45 (access port) (vlan4 stp blk port on ciscosw1-24)

(2)ciscoSw2port12==vlan2(access pot)==DellSw1port48, (access port)



(3)ciscoSw2port9==vlan4(access pot)==DellSw2port45 (access port)

(4)ciscoSw2port10==vlan3(access pot)==DellSw2port48 (access port)

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls HA uses virtual MAC addresses
Thanks

TheChosenOne
Beginner
Beginner

Hi,

 

Do you have Access Points connected in those ports?

 

Cheers,

Neo

hi
that your firewall mac flapping so its not legit traffic from a wireless device moving about
that's a Fortinet oui mac when I check it
is there stp changes occurring at l2 ?

Matt Delony
Cisco Employee
Cisco Employee

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls?

 

The switch is reporting that packet with listed source mac address has ingressed on a port, but that the mac address was dynamically learned on a different port. Sometimes this can be a symptom of a switching loop, but not always.

 

I looked at the outputs you attached. It looks like packets with fortinet source mac are coming in from G1/0/9, G1/0/12, and G1/0/10, which connect to the Dell switches. I would recommend checking the Dell switches to make sure they are not participating in a switching loop.

 

 

The MAC address OUI 0009.0f is for Fortinet. Is this the mac address of one of the firewalls?  HA uses virtual MAC addresses

 

.

 

I looked at the outputs you attached. It looks like packets with fortinet source mac are coming in from G1/0/9, G1/0/12, and G1/0/10, which connect to the Dell switches. I would recommend checking the Dell switches to make sure they are not participating in a switching loop.

Yes not participating in a switching loop (Dell switches are stacking)

(1)ciscoSw1port9===vlan4(access pot)==DellSw1port45 (access port) (vlan4 stp blk port on ciscosw1-24)

(2)ciscoSw2port12==vlan2(access pot)==DellSw1port48, (access port)

 

(3)ciscoSw2port9==vlan4(access pot)==DellSw2port45 (access port)

(4)ciscoSw2port10==vlan3(access pot)==DellSw2port48 (access port)

 

Thanks

 

Thanks for the additional info.

 

I think that Dell switches need to be checked based on what I've seen so far. Ideally we wouldn't want to see a packet from firewall coming back into 2960 switches from the Dell switches. This may mean that somehow packet from firewall is going to Dell switch and then coming back from Dell switch.

 

Maybe you can check if the Dell switches support a mac-move notification? If they can support it, maybe you can turn it on and see if there are any mac flaps on the Dell switches.

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

 

The reason looks like your access switchports on both sw1 and sw2 going straight into a forwarding state  connecting to the dells switchs and these have become stp root ports for vlan2/3/4 thus are creating the loop.

 

Sw1 has stp root ports for vlans (1-2-3) towards sw2
Sw1 has stp root ports for vlans (4) is port 9

Sw2 has stp root ports for vlans ( 2-3.4) towards the dells (port12 -vlan2, port 10-vlan 3, port 9-vlan4)

Can see what your dells are doing but i am assuming they are completing the loop back to sw1

 

Suggest :
1) set your stp prioritys so the sw1-sw2 are stp primary/secondary
2) apply stp bpduguard on the connecting dell access-ports and remove portfast is need be
3) check you dells switches so that its access-ports dont become trunks

 

res
Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers