Here is a example of the show mac- results. on port g6/32, there are 4 mac addresses, all of them are actually phantom macs. they dont have any entry in the arp table. the mac addresses are from Cray Communications and i suppect it has somethinng to do with the old IP phone.

switch #sh mac-address-table | i 0000.8

*  212  0000.8011.0323   dynamic  Yes        295   Gi6/32

*  211  0000.8011.0ed4   dynamic  Yes        235   Gi2/10

*  212  0000.8011.01 8e   dynamic  Yes        285   Gi6/32

*  212  0000.8011.f971   dynamic  Yes        220   Gi6/32

*  212  0000.8011.01ef   dynamic  Yes        285   Gi6/32

after a couple of minutes later, when i do it again, only two of them come up and they are real.

switch#sh mac- int gi6/32

Active Supervisor:
*  212  88ae.1db1.d771   dynamic  Yes          0   Gi6/32
*  218  000a.e402.5eb9   dynamic  Yes         35   Gi6/32

because this happens in many of the ports and switches with a very large mac table, it's caused the switches down for many times.

also, i think it might not be related to moving mac addresses around, because of the numbers of the mac and the timeit lasts.

thanks, Han

are these ports access ports or trunk?

See the port confi, thanks,

#sh run int gi6/32
Building configuration...

Current configuration : 650 bytes
!
interface GigabitEthernet6/32
description User_Port
switchport
switchport access vlan 212
switchport mode access
switchport voice vlan 218
speed auto 10 100
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication violation replace
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input QOS-ACL-CLASSIFY-policy
end

This is really weird, same host is sending differemtn mac address belong to different vendors!!

If only the PC or the IP phone is connected, do you see the same behavior? one of these devices is flooding all these mac addresses, and this is not expected

Amjad,

The only happened with specific type of phone connected, as far as i know. and from our ISE, I see a lot of Unknown mac-address, starting with Cray communicatins.

Besides the TCam is running out of Mask part sometimes, i suspect, it is a results of these phantom macs.

thanks,

Han

I never seen this with IP Phones, but I would recommend to check the phones and the PC, make sure the PC is not doing any mac spoofing.

Regards

I have seen faulty phones looping back all frames and causing huge flooding.

Hi,

sorry to move up this post. We got the same issue(maybe worst) , we see multiple mac address on all interface where an IP phone is connected (SW-> IP phone-> PC)

this probleme appear not only in one switch but on lot of them , on different VLAN and on multiple distant site.

We got security violation because we only allow 3 mac adress, here an example of interfaces(the mac address change on the data vlan) :

HODSWI054#              sh mac address-table | in 0/14
 100    0023.249b.c4f8    STATIC      Fa0/14
 100    c89c.dc70.1e4c    STATIC      Fa0/14
 200    e05f.b979.4672    STATIC      Fa0/14
HODSWI054#              sh mac address-table | in 0/8
 100    0023.246d.3868    STATIC      Fa0/8
 100    0023.248d.f214    STATIC      Fa0/8
 200    e05f.b979.76d1    STATIC      Fa0/8
HODSWI054#              sh mac address-table | in 0/43
 100    0023.24ab.f644    STATIC      Fa0/43
 100    c89c.dc70.1d8f    STATIC      Fa0/43
 200    e05f.b979.786d    STATIC      Fa0/43
HODSWI054#

on our Core switch we got vlan flapping too :

000266: Sep  7 08:26:25.445 MET: %C4K_EBM-4-HOSTFLAPPING: Host C8:9C:DC:70:1E:5B in vlan 108 is flapping between port Gi7/4 and port Po1
000267: Sep  7 08:29:53.783 MET: %C4K_EBM-4-HOSTFLAPPING: Host 00:23:24:6D:38:64 in vlan 96 is flapping between port Gi6/3 and port Po1
000268: Sep  7 08:33:03.530 MET: %C4K_EBM-4-HOSTFLAPPING: Host C8:9C:DC:70:1D:8F in vlan 100 is flapping between port Po1 and port Gi8/3

seems we see on interfaces the mac address of the PC connected to other IP phones

we put on the global configuration the command "mac address-table notification mac-move" but nothing on the "show logg"

please help us

regards,

fabrice

Hello Guys,

It seems there has not been any solution regards the below issue.. i recently started experiencing the same issue and would like your input.

i have a single interface been violated by numerous MAC addresses... these interface has a single camera connected to it. 

please see attached error logs for this issue