Re: Mac Flapping

JohnD2 · ‎12-22-2021

I've gone through the posts made here and can't seem to find anything quite like our issue. We've been noticing network slow downs, and seeing messages in the logs of our core switch (C9300 stack) looking like this:

Dec 22 17:22:24.775: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:18:24.693: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:14:20.775: %SW_MATM-4-MACFLAP_NOTIF: Host fc44.822b.768b in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:12:24.769: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:08:55.633: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:08:24.363: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:07:39.434: %SW_MATM-4-MACFLAP_NOTIF: Host 7c50.79ab.5572 in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:57.535: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:52.234: %SW_MATM-4-MACFLAP_NOTIF: Host dc41.a949.db35 in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:38.856: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Port Te1/1/8 is the link to a Fortigate 100F which acts as a gateway to our ISP. Po1 is the aggregated link to the access switch (C9200 stack).

I understand that normally mac flapping like this usually suggests there is a L2 loop in the topology but there are no physical loops here. After digging into this further, all of the mac addresses listed above are associated to the wireless NICs on wifi enabled devices. Checking the logs on the access stack show messages like:

Dec 22 17:36:37.866: %SW_MATM-4-MACFLAP_NOTIF: Host dc41.a949.db35 in vlan 1 is flapping between port Po1 and port Gi1/0/36

Dec 22 17:37:16.327: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Po1 and port Gi1/0/33

Again, Po1 is the aggregated link between the C9200 stack and the C9300 stack. Ports Gi1/0/33 and Gi1/0/36 are connected to two of our access points (FortiAPs).

Interface Configs:

interface Port-channel1
description "Aggregated link to Access Stack"
switchport trunk allowed vlan 1,10
switchport mode trunk
!

!
interface TenGigabitEthernet1/1/8
description "XG Link to Firewall Private"
switchport mode access
end

!

interface GigabitEthernet1/0/33
description "*** Access Point"
switchport trunk allowed vlan 1,10
switchport mode trunk
!

interface GigabitEthernet1/0/36
description "*** Access Point"
switchport trunk allowed vlan 1,10
switchport mode trunk

I feel like this is a pretty simplistic setup. It makes sense that the C9200's should be seeing these mac addresses coming from the access ports and the C9300 should be seeing them coming from Po1. What doesn't make sense to me is how they are flapping from the opposite direction without there being a loop. Has anyone else seen this? Thanks to everyone in advance if you have any suggestions.

MHM Cisco World · ‎12-22-2021

wifi user mac flapping is normal, the user is connect and disconnect from one AP to other and these AP each one connect to different SW so you see mac learn in this SW and then same mac learn from trunk or other SW.

JohnD2 · ‎12-22-2021

I appreciate the response. I would agree that normally this behavior would make sense. But in this case that doesn't make sense. In the core switch the mac addresses are coming from interface Po1 (the access switch which makes sense) and also from interface T1/1/8 (the firewall which doesn't make sense. No other interface on firewall is connected to vlan1. What I'm saying is it doesn't make sense that the firewall would broadcasting packets originating from devices that should be connected to the access switch.

I'm sorry if I didn't express that as clearly before.

Does that make sense?

Rich R · ‎12-23-2021

Has somebody accidentally enabled proxy arp on the firewall maybe?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390