and floods the frame out of all other ports. When B replies the MAC address table becomes:<\/p>\n
Port\t\tHost\r\n0\/1\t\taaaa\r\n0\/2\t\tbbbb<\/span><\/pre>\nand the switch forwards the frame to port 0\/1 \u2013 there is no need to flood now since the location of A is known.<\/p>\n
If the switch were to then receive a frame on port 0\/2 with a source MAC address of aaaa, there would be clash and the switch would log something like this:<\/p>\n
1664321: Nov 14 11:18:16 UTC: %MAC_MOVE-SP-4-NOTIF:\r\nHost aaaa.aaaa.aaaa in vlan A is flapping between\r\nport 0\/1 and port 0\/2<\/span><\/pre>\nand the MAC address-table would become:<\/p>\n
Port\t\tHost\r\n0\/1\r\n0\/2\t\tbbbb\r\n0\/2\t\taaaa<\/span><\/pre>\nWhat happens when B tries to send A a frame now? The switch won\u2019t flood the frame as it knows a destination and it won\u2019t send the frame back down the link \u2013 it gets dropped.<\/p>\n
Lab time…<\/h2>\n
Let\u2019s see if we can mimic this. This isn’t an easy thing to replicate so please forgive the artificial nature of the lab. I configured a switch with three hosts directly connected on VLAN 30. The hosts could ping each other and the MAC address-table was as follows:<\/p>\n
\r\n3750-1#show mac address-table dynamic vlan 30\r\n Mac Address Table\r\n-------------------------------------------\r\n\r\nVlan Mac Address Type Ports\r\n---- ----------- -------- -----\r\n 30 0008.7c82.5409 DYNAMIC Fa1\/0\/1\r\n 30 001a.2f22.d0c2 DYNAMIC Fa1\/0\/2\r\n 30 0024.97f0.3a70 DYNAMIC Fa1\/0\/3\r\nTotal Mac Addresses for this criterion: 3\r\n<\/span><\/pre>\nHost A had an IP of 192.168.30.1 and was on port 1. Host B was 192.168.30.30 and on port 2. Host C was 192.168.30.254 and on port 3.<\/p>\n
So, ping with host A:<\/p>\n
Host A# ping 192.168.30.254\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n!!!!!\r\nSuccess rate is 100 percent (5\/5),\r\nround-trip min\/avg\/max = 1\/201\/1000 ms\r\n<\/span><\/pre>\nPing with host B:<\/p>\n
Host B#ping 192.168.30.254\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n!!!!!\r\nSuccess rate is 100 percent (5\/5),\r\nround-trip min\/avg\/max = 1\/2\/8 ms<\/span><\/pre>\nNext I manually set host A to have the same MAC address as host B (001a.2f22.d0c2). The results? Host B lost connectivity for a few seconds.<\/p>\n
Host A# int vlan 30\r\nHost A(config-if)# mac-address 001a.2f22.d0c2\r\nHost A# ping 192.168.30.254\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n.....\r\nSuccess rate is 0 percent (0\/5)<\/span><\/pre>\nHere is the switch mac address table after the clone:<\/p>\n
3750-1#show mac address-table dynamic vlan 30\r\n Mac Address Table\r\n-------------------------------------------\r\n\r\nVlan\u00a0\u00a0\u00a0 Mac Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ports\r\n----\u00a0\u00a0\u00a0 -----------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 --------\u00a0\u00a0\u00a0 -----\r\n 30\u00a0\u00a0\u00a0 0008.7c82.5409\u00a0\u00a0\u00a0 DYNAMIC\u00a0\u00a0\u00a0\u00a0 Fa1\/0\/1\r\n 30\u00a0\u00a0\u00a0 001a.2f22.d0c2\u00a0\u00a0\u00a0 DYNAMIC\u00a0\u00a0\u00a0\u00a0 Fa1\/0\/1<\/strong>\r\n 30\u00a0\u00a0\u00a0 0024.97f0.3a70\u00a0\u00a0\u00a0 DYNAMIC\u00a0\u00a0\u00a0\u00a0 Fa1\/0\/3\r\nTotal Mac Addresses for this criterion: 3\r\n3750-1#\r\n*Mar 17 04:22:02.620: %SW_MATM-4-MACFLAP_NOTIF:\r\nHost 001a.2f22.d0c2 in vlan 30 is flapping between\r\nport Fa1\/0\/2 and port Fa1\/0\/1\r\n3750-1#<\/span><\/pre>\nHere is what happened to Host B:<\/p>\n
Host B#ping 192.168.30.254\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n.....\r\nSuccess rate is 0 percent (0\/5)\r\nHost B#ping 192.168.30.254\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n!!!!!\r\nSuccess rate is 100 percent (5\/5),\r\nround-trip min\/avg\/max = 1\/2\/8 ms\r\nHost B#ping 192.168.30.254\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.30.254,\r\ntimeout is 2 seconds:\r\n.!!!!\r\nSuccess rate is 80 percent (4\/5),\r\nround-trip min\/avg\/max = 1\/1\/1 ms\r\n<\/span><\/pre>\nYes, this is the same impact you would have if two hosts had the same MAC on your network – there is a reason they need to be unique!<\/p>\n
What does all this mean?<\/h2>\n
When you have an annexe VLAN [1] the backbone can be thought of as a series of Layer 2 switches for that VLAN. The ‘Broadcast Domain’ stretches over the entire Backbone. This means the CPU of every host (including our core switches) on a VLAN will receive every broadcast from every other host – this is not ideal but the only way we can offer the same subnet at multiple sites in this generation of the backbone. Another term sometimes used is ‘Failure Domain’. That is, a failure in part of the VLAN could impact the entire core. It is because of this risk to other units that we are keen to make sure annexe VLANs are tightly managed.<\/p>\n
[1] These are known as Layer 2 end-to-end VLANs as there is no routing involved. We have called them ‘switched’ VLANs in the past. VLANs with a Layer 3 interface or SVI on the backbone are known as Layer 3 Routed VLANs.<\/p>\n
To return to the the issues MAC flaps will cause on your network, each switch in the backbone has a MAC address-table for your VLAN. If for some reason your MAC addresses appear from different locations you will get dropped packets and our logs will fill up with messages which cause issues when we raise a support case with Cisco as our network appears to have loops.<\/p>\n
What could cause it?<\/h2>\n
There are two or three common causes that we see.<\/p>\n
\n- Local loops<\/li>\n
- NAC<\/li>\n
- Wireless<\/li>\n<\/ol>\n
1. Local Loops<\/h3>\n
If you don’t run STP then you are far more likely to suffer from network loops. Here are a couple of resources: STP is your friend<\/a> and Implementing Spanning Tree<\/a>. The issue with an annexe VLAN is that a local loop is no longer so local and could cause problems everywhere, both for you and others.<\/p>\n2. NAC<\/h3>\n
There is a legitimate but ill-advised network design which can cause issues. If you have a L2 NAC which forces all traffic through itself then it is possible that a frame will need to leave site A, get switched through to site B only to return to site A, all with the same MAC address. See the image below. I’ve represented the Backbone as one red switch and the ingress and egress ports as tunnel entrances and exits. This design mustn’t be used with the current generation of the backbone.<\/p>\n
![\"\"](\"http:\/\/blogs-new.it.ox.ac.uk\/networks\/files\/2011\/02\/IMG_01211-300x154.jpg\")
<\/a>NAC issue<\/p><\/div>\n
3. Wireless<\/h3>\n
We used to run OWL and eduroam (Phase 1) over two VLANs which spanned the entire core. Due to the issues I’ve mentioned we changed this last year. Now the VLANs are local to the FroDos and routed through the core. Prior to doing this it was possible to roam from access points connected to different FroDos and cause MAC flaps.<\/p>\n
What should I do next?<\/h2>\n
We’re going to keep an eye on the logs and will let Units know if they are causing MAC flaps. We’ll work with you as far as possible to locate the source of the issue and get things stable. If you aren’t yet running STP please can I urge you do consider doing so. The new backbone is still some years off so for the good of everyone we need to work together to reduce this. For units which cannot resolve this we may need to look at reverting to a fully routed connection, with each Annexe having its own subnet.<\/p>\n
Do get in touch if you have any questions.<\/p>\n","protected":false},"excerpt":{"rendered":"
What is a MAC Flap? A MAC Flap is caused when a switch receives packets from two different interfaces with the same source MAC address. If this makes no sense, perhaps a\u00a0 quick summary of how switching at layer 2 … Continue reading