cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2229
Views
0
Helpful
3
Replies

Mac Flapping

JohnD2
Level 1
Level 1

I've gone through the posts made here and can't seem to find anything quite like our issue. We've been noticing network slow downs, and seeing messages in the logs of our core switch (C9300 stack) looking like this:

 

Dec 22 17:22:24.775: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:18:24.693: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:14:20.775: %SW_MATM-4-MACFLAP_NOTIF: Host fc44.822b.768b in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:12:24.769: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:08:55.633: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:08:24.363: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:07:39.434: %SW_MATM-4-MACFLAP_NOTIF: Host 7c50.79ab.5572 in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:57.535: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:52.234: %SW_MATM-4-MACFLAP_NOTIF: Host dc41.a949.db35 in vlan 1 is flapping between port Te1/1/8 and port Po1

Dec 22 17:06:38.856: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Te1/1/8 and port Po1

 

Port Te1/1/8 is the link to a Fortigate 100F which acts as a gateway to our ISP. Po1 is the aggregated link to the access switch (C9200 stack).

 

I understand that normally mac flapping like this usually suggests there is a L2 loop in the topology but there are no physical loops here. After digging into this further, all of the mac addresses listed above are associated to the wireless NICs on wifi enabled devices. Checking the logs on the access stack show messages like:

 

Dec 22 17:36:37.866: %SW_MATM-4-MACFLAP_NOTIF: Host dc41.a949.db35 in vlan 1 is flapping between port Po1 and port Gi1/0/36

Dec 22 17:37:16.327: %SW_MATM-4-MACFLAP_NOTIF: Host 3800.25f9.8f0d in vlan 1 is flapping between port Po1 and port Gi1/0/33

 

Again, Po1 is the aggregated link between the C9200 stack and the C9300 stack. Ports Gi1/0/33 and Gi1/0/36 are connected to two of our access points (FortiAPs). 

 

Interface Configs:

interface Port-channel1
description "Aggregated link to Access Stack"
switchport trunk allowed vlan 1,10
switchport mode trunk
!

!
interface TenGigabitEthernet1/1/8
description "XG Link to Firewall Private"
switchport mode access
end

!

 

interface GigabitEthernet1/0/33
description "*** Access Point"
switchport trunk allowed vlan 1,10
switchport mode trunk
!

interface GigabitEthernet1/0/36
description "*** Access Point"
switchport trunk allowed vlan 1,10
switchport mode trunk

 

I feel like this is a pretty simplistic setup. It makes sense that the C9200's should be seeing these mac addresses coming from the access ports and the C9300 should be seeing them coming from Po1. What doesn't make sense to me is how they are flapping from the opposite direction without there being a loop. Has anyone else seen this? Thanks to everyone in advance if you have any suggestions.

3 Replies 3

wifi user mac flapping is normal, the user is connect and disconnect from one AP to other and these AP each one connect to different SW so you see mac learn in this SW and then same mac learn from trunk or other SW.

I appreciate the response. I would agree that normally this behavior would make sense. But in this case that doesn't make sense. In the core switch the mac addresses are coming from interface Po1 (the access switch which makes sense) and also from interface T1/1/8 (the firewall which doesn't make sense. No other interface on firewall is connected to vlan1. What I'm saying is it doesn't make sense that the firewall would broadcasting packets originating from devices that should be connected to the access switch.

 

I'm sorry if I didn't express that as clearly before.

 

Does that make sense?

Rich R
VIP
VIP

Has somebody accidentally enabled proxy arp on the firewall maybe?

Review Cisco Networking for a $25 gift card