MAC address table instability can impact a switch's performance & on lower end switches cause high CPU utilisation that may impact other functions. Cisco switches can generate a syslog entry when they see a MAC address flap between ports, but it’s not enabled by default. Some NX-OS platforms actually temporarily disable MAC address table updates if a certain number of MAC address flaps occur within a set timeframe: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213906-nexus-9000-mac-move-troubleshooting-and.html
The different switch platforms generate slightly different syslog messages, but the common factor is they all have MAC_MOVE in the text for NX-OS, or MACFLAP or HOSTFLAP for IOS / IOS XE. So I created an alert in Splunk to match these keywords in the last hour's log entries.
Commands
IOS / IOX XE:
mac address table notification mac-move
N3K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N4K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N5K / N6K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N7K / N9K:
logging level l2fm 5
Thursday, 29 April 2021
Cisco Switch MAC Address Flapping Alerts
Labels:
alerts,
broadcast storm,
Cisco,
flap,
instability,
IOS,
IOS XE,
L2 loop,
Mac,
MAC address table,
NX-OS,
TCAM
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment