Friday, October 18, 2013

MAC Flapping detection

By default, the command mac address-table notification mac-move is not configured on a 4k5. This command permits to detect a MAC flapping with a log message (see below generated logs):

#mac address-table notification mac-move

Jul  9 08:12:26.707: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.111: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16
Jul  9 08:12:28.499: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.519: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16

If this command is not configured you will certainly detect the MAC flapping with a high CPU (if it's monitored!). When you detect a CPU peak, it's not trivial to detect the root cause. To determine whether it's a MAC flapping you can use the following command


C4510#show platform health
                                     %CPU   %CPU    RunTimeMax   Priority  Average %CPU  Total
                                     Target    Actual  Target Actual    Fg   Bg 5Sec Min Hour  CPU
RkiosObflMan                     0.50   0.00      4      0  100  500    0   0    0  51:24
GalChassisVp-review           3.00   0.11     10     40  100  500    0   0    0  1260:27
S2w-JobEventSchedule      10.00   0.90     10      8  100  500    1   1    1  15025:10
...
K5L3Unicast Adj Chan         2.00   0.00     15      1  100  500    0   0    0  12:14
K5L3Unicast Adj Tabl         2.00  11.07     15     11  100  500    6   7    5  55618:52
K5L3AdjStatsMan Revi        2.00   0.15     10     11  100  500    0   0    0  3972:07
...
K5 L2 Unicast Addres          2.00   0.00     20     10  100  500    0   0    0  0:18
K5 L2 Multicast Addr           2.00   0.00     20      0  100  500    0   0    0  0:08
K5 L2 Hardware Addre       2.00  15.06     20     14  100  500   11  12    7  88117:09

As seen above, 2 variables are abnormally high:
  • K5L3Unicast Adj Tabl: due to the ARP table refresh. a new MAC address is permanently associated to an IP address.
  • K5 L2 Hardware Addre : the relation MAC/physical interface is also permanently refreshed.

To be sure, enter the command mac address-table notification mac-move and check the logs messages.
Posted by at
Labels: , , ,

1 comment:

  1. UnknownOctober 21, 2013 at 9:30 AM

    The problem is more aggressive configurations is that sometimes, the systems guys connect a server to two different switches and then configure bonding/NIC teaming in aggregation mode instead of active-backup mode.

    Thanks
    Silvester Norman

    Changing MAC Address

    ReplyDelete

Subscribe to: Post Comments (Atom)