cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10921
Views
0
Helpful
11
Replies

VRRP and strange %SW_MATM-4-MACFLAP_NOTIF

thomas.fayet
Level 1
Level 1

Hello community ,

Please have a look at the pdf attached here .

I am seeing the following error poping up into the kber1308 and kber1309 , the two switches connected to my mpls routers .

This design works in a primary / standby set up , the primary leg being kber1309/pber940 .

Feb 17 12:38:17.697 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.5e00.010a in vlan 10 is flapping between port Gi0/7 and port Gi0/1

G0/7 is the interface connecting kber1309 to kber1308

G0/1 is the interface going to the router PBER940

The same design applied to the other "leg" of the network .

The Mac address  0000.5e00.010a is the mac address of the virtual VRRP group I am sharing between the two routers .

#      sh vrrp

GigabitEthernet0/0.10 - Group 10

  State is Master 

  Virtual IP address is 10.25.128.116

  Virtual MAC address is 0000.5e00.010a

This address being the virtual mac address of the vrrp group I dont understand why I am seing it flapping between both switches :

It seems at some point the switches see the mac address coming from the routers and then from the other switch , just like if a l2 loop will be occuring but the design does not loop in my case .

Please note that I am in the process of forcing the primary switch to be root bridge for vlan 10 , even if that is already the case I prefer to manually force the election .

Any idea are welcome ......

11 Replies 11

Peter Paluch
Cisco Employee
Cisco Employee

Hello Thomas,

Please double check whether in group 10, one of the routers is identified as VRRP Master while the other is identified as VRRP Backup. If both these routers are Masters then we have a problem in the cooperation of these two routers in VRRP, and that would also explain the error mesage you're seeing on your switches.

Common reasons for routers not cooperating in VRRP include:

  • Mismatched group number
  • Mismatched virtual IP of the group
  • Mismatched VRRP advertisement timer
  • Mismatched authentication
  • Problems in multicast communication/visibility between routers (VRRP uses 224.0.0.18)

Best regards,

Peter

kcnajaf
Level 7
Level 7

Hi Thomas,

Could you please share the configurations on kber1309 and kber1308? Also output of "show interface trunk" and "show cdp nei".

Regards

Najaf

Please rate when applicable or helpful !!!

Thnks for the quick replies

Here is the show vrrp brief on both routers:

pcpt391#sh vrrp brief

Interface          Grp Pri Time  Own Pre State   Master addr     Group addr

Gi0/0.10           10  100 3609       Y  Backup  10.25.128.118   10.25.128.116 

pcpt384#sh vrrp brief

Interface          Grp Pri Time  Own Pre State   Master addr     Group addr

Gi0/0.10           10  110 3570       Y  Master  10.25.128.118   10.25.128.116 

And the the "show interface trunk" and "show cdp nei " on both switches :

show interface trunk

x1035#sh interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan

Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk

Gi0/1       10,51,950

Port        Vlans allowed and active in management domain

Gi0/1       10,51,950

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       10,51,950

x1034#sh int trunk  

Port        Mode             Encapsulation  Status        Native vlan

Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk

Gi0/1       10,51,99,950

Port        Vlans allowed and active in management domain

Gi0/1       10,51,99,950

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       10,51,99,950

x1035#sh cdp nei

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

x1034         Gig 0/7           141              S I   WS-C2960G Gig 0/7

x1034         Gig 0/8           141              S I   WS-C2960G Gig 0/8

x1034#sh cdp nei

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

x1035         Gig 0/7           178              S I   WS-C2960G Gig 0/7

x1035         Gig 0/8           178              S I   WS-C2960G Gig 0/8

thanks !

Hi Thomas,

I'm lost here :-( Where are you running this VRRP? What devices are these pcpt39, pcpt38, x1035 & x1034 as i can not see them on your diagram? It would help to get the running VRRP configuration.

Also it looks like you have two port connected back to back between x1034 & x1035. Why are you not running etherchannel two bundle these two ports.

Regards

Najaf

Please rate when applicable or helpful !!!

I gave the HLD for BER but CPT and all the others location are physically connected in the same way .

the vrrp config is there

primary router:

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 10.25.128.118 255.255.255.240

vrrp 10 ip 10.25.128.116

vrrp 10 priority 110

vrrp 10 track 10 decrement 20

Secondary router

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 10.25.128.117 255.255.255.240

vrrp 10 ip 10.25.128.116

no etherchannel as one port carry data and the other voice only .

rgds

T

Thomas,

Both router would be sourcing a frame from the virtual MAC address if the both thought they are VRRP Master routers. This can occur if there is a transient outage in the network, such as STP (re)convergence. What kind of STP are you running in your network?

Best regards,

Peter

We run PVST on our switch . 

Hello Thomas,

Do you believe it would be possible to transition to RSTP / RPVST, and in addition, to configure the trunks towards routers using spanning-tree portfast trunk command?

It is a blind shot I admit, but considering the fact that STP is the one that actually causes blocking in networks, I would rather like to see that STP is not at the root of our problem.

Best regards,

Peter

Hello Peter .

I could do but :

- This is a live environment

- I would also have to make sure the client switches are also moving away from current SPT config to new RSTP config

Could you please tell me:

- where I can find the latest configuration best practices for RSTP ?

- I f the migration from PVST to RPVST "painful"

- Ideally , which SPT feature shall I enable on which part of the link , giving the PDF attached here .

If I summarise :

- Ensuring the spanning tree Root and default (HSRP)      gateway match for a set of VLANs.In my case the "primary" switch in the design

-  Configure the Rapid-PVST+ Cisco enhancements 

Portfast + bpduguard on all port connections end user workstation

- Else ?

thanks

Hi Thomas,

- where I can find the latest configuration best practices for RSTP ? 

While not exactly best practice documents, I have nevertheless found these documents to be extremely helpful in understanding the intricacies of RSTP:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807b0670.shtml

- I f the migration from PVST to RPVST "painful"

It will cause outages for up to 30 seconds for each switch that is moved from STP to RSTP. This can be indeed considered painful. Other than that, though, there are no significant caveats I am aware of. It is suggested to migrate beginning with access layer switches and proceeding deeper into the topology.

- Ideally , which SPT feature shall I enable on which part of the link , giving the PDF attached here .

  • PortFast on all access ports (global config: spanning-tree portfast default)
  • BPDU Guard on all PortFast-enabled ports (global config: spanning-tree portfast bpduguard default)
  • Loop Guard on all ports (global config: spanning-tree loopguard default)

Be especially careful if you are using access ports between switches - on these ports, you have to explicitly prohibit PortFast and BPDUGuard using interface-level commands spanning-tree portfast disable and spanning-tree bpduguard disable

Other than these, no specific features are called for.

- Ensuring the spanning tree Root and  default (HSRP)      gateway match for a set of VLANs.In my case the  "primary" switch in the design 

Correct.

-  Configure the Rapid-PVST+ Cisco enhancements  

Correct but depends on what you mean by Cisco enhancements. If you are thinking about UplinkFast and BackboneFast, these mechanisms are proprietary to STP and they are already implemented in RSTP. You should not activate these - RSTP has its own support to achieve the same results.

-  Portfast + bpduguard on all port connections end user workstation

Correct.

- Else ? 

On the ports towards routers, use spanning-tree portfast trunk command. In addition, verify in the show spanning-tree on each switch that each link is identified as P2p (point-to-point). If any link is identified as Shr (shared), RSTP will not be capable of converging rapidly on that link.

Best regards,

Peter

Thanks everyone for all the valuable inputs

Regards

T

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco