we have many interfaces on our access layer switches, each of them are connected with two devices, a phone and a computer, how ever, we found each of the interfaces with many mac addresses, some of them even with hundreds. The devices are not servers, only workstations.
these mac addresses are gone when we bounce the ports but eventually come back. and they dont have any entris in the ARP table.
any one expereinced this kind of issue?
Besides we have cisco NAC configured but are not forced. dont know whether this can cause the problem or not
There are many ressons this issue could occur. One of the mpst common reason is a L2 loop. Also at times if there is a patch panel in between the switch and the end devices, there is a possibility that the MAC addresses could get bridged.
1. Could you enable mac move notifications in your switch? You could enable the same by issuing the command "mac-address-table notification mac-move" or "mac address-table notification mac-move" in the global configuration mode. Either of the commands will be supported as per the switch platform.
2. On enabling the mac-move notification, check your "show log" output to check if there are any MAC address flap logs.
3. Also, could you post the output of "show mac address-table interface x" or "show mac-address-table interface x". X is the interfsce number. Collect the output of two or three such interfaces?
4. Is this issue observed for only one VLAN or multiple VLAN's? In other words, are all the affected interfaces belong to a single voice and data VLAN or are they spread over multiple VLAN's?
Please keep us posted.
Sent from Cisco Technical Support Android App
Here is a example of the show mac- results. on port g6/32, there are 4 mac addresses, all of them are actually phantom macs. they dont have any entry in the arp table. the mac addresses are from Cray Communications and i suppect it has somethinng to do with the old IP phone.
switch #sh mac-address-table | i 0000.8
* 212 0000.8011.0323 dynamic Yes 295 Gi6/32
* 211 0000.8011.0ed4 dynamic Yes 235 Gi2/10
* 212 0000.8011.01 8e dynamic Yes 285 Gi6/32
* 212 0000.8011.f971 dynamic Yes 220 Gi6/32
* 212 0000.8011.01ef dynamic Yes 285 Gi6/32
after a couple of minutes later, when i do it again, only two of them come up and they are real.
switch#sh mac- int gi6/32
* 212 88ae.1db1.d771 dynamic Yes 0 Gi6/32
* 218 000a.e402.5eb9 dynamic Yes 35 Gi6/32
because this happens in many of the ports and switches with a very large mac table, it's caused the switches down for many times.
also, i think it might not be related to moving mac addresses around, because of the numbers of the mac and the timeit lasts.
See the port confi, thanks,
#sh run int gi6/32
Current configuration : 650 bytes
switchport access vlan 212
switchport mode access
switchport voice vlan 218
speed auto 10 100
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication timer reauthenticate server
authentication violation replace
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input QOS-ACL-CLASSIFY-policy
This is really weird, same host is sending differemtn mac address belong to different vendors!!
|000080||Cray Communications A/S (was: Dowty Network Services|
If only the PC or the IP phone is connected, do you see the same behavior? one of these devices is flooding all these mac addresses, and this is not expected
The only happened with specific type of phone connected, as far as i know. and from our ISE, I see a lot of Unknown mac-address, starting with Cray communicatins.
Besides the TCam is running out of Mask part sometimes, i suspect, it is a results of these phantom macs.
I never seen this with IP Phones, but I would recommend to check the phones and the PC, make sure the PC is not doing any mac spoofing.
sorry to move up this post. We got the same issue(maybe worst) , we see multiple mac address on all interface where an IP phone is connected (SW-> IP phone-> PC)
this probleme appear not only in one switch but on lot of them , on different VLAN and on multiple distant site.
We got security violation because we only allow 3 mac adress, here an example of interfaces(the mac address change on the data vlan) :
HODSWI054# sh mac address-table | in 0/14
100 0023.249b.c4f8 STATIC Fa0/14
100 c89c.dc70.1e4c STATIC Fa0/14
200 e05f.b979.4672 STATIC Fa0/14
HODSWI054# sh mac address-table | in 0/8
100 0023.246d.3868 STATIC Fa0/8
100 0023.248d.f214 STATIC Fa0/8
200 e05f.b979.76d1 STATIC Fa0/8
HODSWI054# sh mac address-table | in 0/43
100 0023.24ab.f644 STATIC Fa0/43
100 c89c.dc70.1d8f STATIC Fa0/43
200 e05f.b979.786d STATIC Fa0/43
on our Core switch we got vlan flapping too :
000266: Sep 7 08:26:25.445 MET: %C4K_EBM-4-HOSTFLAPPING: Host C8:9C:DC:70:1E:5B in vlan 108 is flapping between port Gi7/4 and port Po1
000267: Sep 7 08:29:53.783 MET: %C4K_EBM-4-HOSTFLAPPING: Host 00:23:24:6D:38:64 in vlan 96 is flapping between port Gi6/3 and port Po1
000268: Sep 7 08:33:03.530 MET: %C4K_EBM-4-HOSTFLAPPING: Host C8:9C:DC:70:1D:8F in vlan 100 is flapping between port Po1 and port Gi8/3
seems we see on interfaces the mac address of the PC connected to other IP phones
we put on the global configuration the command "mac address-table notification mac-move" but nothing on the "show logg"
please help us