Solved

Catalyst 4006 CATos %SYS-4-P2_WARN Host is flapping

Posted on 2008-06-24
15
1,384 Views
Last Modified: 2012-06-27
Error:  2008 Jun 24 14:06:23 CST +00:00 %SYS-4-P2_WARN: 1/Host 00:00:74:a7:d8:56 is flapping between port 2/7 and port 2/43
Cisco Catalyst 4006 running CatOS 8.4(11) continues to flap ports between uplink to another switch and a host port.  The host port has been set with channel mode to off, spanning tree PortFast enabled, and trunk mode is off.
0
Comment
Question by:ideaone
  • 6
  • 5
  • 4
15 Comments
 
LVL 4

Expert Comment

by:fileinster
ID: 21860795
What is connected to these ports (2/7 and 2/43) and where is the host (00:00:74:a7:d8:56) connected? Can you detail the switching path? Is the host a server, and if so is NIC teaming enabled? If it is what mode is the NIC teaming in: load-sharing or fail-over?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 21865747
Do you have Ricoh office equipment ? Does it have more than one NIC? like fileinster states above,
do you have nic teaming or any HA services running?

harbor235 ;}

0
 

Author Comment

by:ideaone
ID: 21866067
The switch is logging a similar message for multiple ports.  POrt 2/7 does happen to be a ricoh printer with only one interface to the switch.  No HA services.  Yesterday was port 2/7, today it is that and a couple of others.  One is hosting a W2003K server and another a MUX.  None of the equipment have dual NIC.  This switch has one link to another switch on f/e port 2/43 which is an Extreme switch.  Tried connecting it to another cisco switch via a fiber port and the same thing was happening.  The flapping causes connectivity issues to the equipment.  I moved several servers to the Extreme switch and they are working fine now.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 21866231

Is the printer or any flapping device connected to the 4oo6 directly, or is it connected to aother switch and the ports you see it flapping on are trunk ports?

If not there could be some type of man in the middle attack, arp poisioning and so on to disrupt you site.

More info is needed

harbor235 ;}
0
 
LVL 4

Expert Comment

by:fileinster
ID: 21866365
That suggests you may have a loop somewhere in your network. do you have portfast enabled on port 2/43?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 21866572


A loop would bring down the layer 2 network, it could be the switch is too busy to send BPDUs or it could be malicious code executing in your network.

How is the switch CPU and are there any ports at 100% capacity?

harbor235 ;}
0
 

Author Comment

by:ideaone
ID: 21866802
To summarize your questions:
no ports at 100%, all hosts are directly connected to the 4006, no portfast on 2/43, port 2/43 is a trunk port, all other ports are configured as host ports, processor runs around 30%, forced 2/43 to trunking

I was thinking of moving all the host ports to another vlan.  Right now everyone is on vlan 1.  Cisco suggested a possible bad supII.  I was hoping maybe someone else has come across this problem.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 4

Expert Comment

by:fileinster
ID: 21866959
Is you "Extreme switch" managed or an unanaged switch. If it's unmanaged can you make sure it's not plugged in to the network via another cable?

Failing that it sounds like a fault CAM hardware on the supervisor.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 21866991

fyi, Using Vlan 1 is a security risk

For a mac to flip over the trunk port to another switch could mean that a host on your network may be compromised and is trying to redirect traffic somewhere else, this has the effect of disrupting your site. Take one of the flapping macs, richo printer for example, its located on port X, goto the other end of the trunk where it is flapping and find what port the switch says has the mac. Disregard if it says back towards the 4006, keep hitting the show mac-address command quickly because each time the printer or the potentially compromised host talks it wil lflip back. When you find the port on the non 4006 switch you may just find your compromised host.

if you goto the router that has the layer 3 interface for the vlan in question, are there many macs for a single IP address? If so this is an exploit.

harbor235 ;}


0
 
LVL 4

Expert Comment

by:fileinster
ID: 21867066
Chek dis out:
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a008063c36f.shtml#cg1

Summary: Make sure spanning tree is enabled on all switches or that you have no loops! If Cisco have looked at the problem themselves and have only come up with segmenting the network that again gives weight to the faulty hardware theory. Out of interest how many nodes are on the network? Best practice is not more than 250.
0
 

Author Comment

by:ideaone
ID: 21867117
thanks for the link...spanning tree is enabled.  I have been working with only 2 switches.  I have tried to capture the mac address on the other switch, but I never know when it is going to flap which could be hours between, so it becomes difficult to trace.  thanks for the ideas...right now I'm going to try replacing the SupII as I have already put in way too many hours.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 21867478

Look at the causes of your doc fileinster, he has alredy stated that he is not seeing high utilizations which are indictitive of spanning-tree loops, also high cpu utilization, tons of multicast traffic etc ...
I have seen many a span tree loop and if ideaone is reporting  the symtoms correctly this is not a spanning tree loop.

Just my 2 cents

harbor235 ;}

0
 
LVL 4

Expert Comment

by:fileinster
ID: 21868646
Definitely think replacing the Sup is the way forward then!
0
 

Accepted Solution

by:
ideaone earned 0 total points
ID: 22596510
Thanks All..I ended up replacing both my Layer 3 card and my sup.
0
 
LVL 4

Expert Comment

by:fileinster
ID: 22597908
I think that my suggestion answered the question.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now