Catalyst 4006 CATos %SYS-4-P2_WARN Host is flapping

Error:  2008 Jun 24 14:06:23 CST +00:00 %SYS-4-P2_WARN: 1/Host 00:00:74:a7:d8:56 is flapping between port 2/7 and port 2/43
Cisco Catalyst 4006 running CatOS 8.4(11) continues to flap ports between uplink to another switch and a host port.  The host port has been set with channel mode to off, spanning tree PortFast enabled, and trunk mode is off.
ideaoneAsked:
Who is Participating?
 
ideaoneConnect With a Mentor Author Commented:
Thanks All..I ended up replacing both my Layer 3 card and my sup.
0
 
fileinsterCommented:
What is connected to these ports (2/7 and 2/43) and where is the host (00:00:74:a7:d8:56) connected? Can you detail the switching path? Is the host a server, and if so is NIC teaming enabled? If it is what mode is the NIC teaming in: load-sharing or fail-over?
0
 
harbor235Commented:
Do you have Ricoh office equipment ? Does it have more than one NIC? like fileinster states above,
do you have nic teaming or any HA services running?

harbor235 ;}

0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
ideaoneAuthor Commented:
The switch is logging a similar message for multiple ports.  POrt 2/7 does happen to be a ricoh printer with only one interface to the switch.  No HA services.  Yesterday was port 2/7, today it is that and a couple of others.  One is hosting a W2003K server and another a MUX.  None of the equipment have dual NIC.  This switch has one link to another switch on f/e port 2/43 which is an Extreme switch.  Tried connecting it to another cisco switch via a fiber port and the same thing was happening.  The flapping causes connectivity issues to the equipment.  I moved several servers to the Extreme switch and they are working fine now.
0
 
harbor235Commented:

Is the printer or any flapping device connected to the 4oo6 directly, or is it connected to aother switch and the ports you see it flapping on are trunk ports?

If not there could be some type of man in the middle attack, arp poisioning and so on to disrupt you site.

More info is needed

harbor235 ;}
0
 
fileinsterCommented:
That suggests you may have a loop somewhere in your network. do you have portfast enabled on port 2/43?
0
 
harbor235Commented:


A loop would bring down the layer 2 network, it could be the switch is too busy to send BPDUs or it could be malicious code executing in your network.

How is the switch CPU and are there any ports at 100% capacity?

harbor235 ;}
0
 
ideaoneAuthor Commented:
To summarize your questions:
no ports at 100%, all hosts are directly connected to the 4006, no portfast on 2/43, port 2/43 is a trunk port, all other ports are configured as host ports, processor runs around 30%, forced 2/43 to trunking

I was thinking of moving all the host ports to another vlan.  Right now everyone is on vlan 1.  Cisco suggested a possible bad supII.  I was hoping maybe someone else has come across this problem.
0
 
fileinsterCommented:
Is you "Extreme switch" managed or an unanaged switch. If it's unmanaged can you make sure it's not plugged in to the network via another cable?

Failing that it sounds like a fault CAM hardware on the supervisor.
0
 
harbor235Commented:

fyi, Using Vlan 1 is a security risk

For a mac to flip over the trunk port to another switch could mean that a host on your network may be compromised and is trying to redirect traffic somewhere else, this has the effect of disrupting your site. Take one of the flapping macs, richo printer for example, its located on port X, goto the other end of the trunk where it is flapping and find what port the switch says has the mac. Disregard if it says back towards the 4006, keep hitting the show mac-address command quickly because each time the printer or the potentially compromised host talks it wil lflip back. When you find the port on the non 4006 switch you may just find your compromised host.

if you goto the router that has the layer 3 interface for the vlan in question, are there many macs for a single IP address? If so this is an exploit.

harbor235 ;}


0
 
fileinsterCommented:
Chek dis out:
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a008063c36f.shtml#cg1

Summary: Make sure spanning tree is enabled on all switches or that you have no loops! If Cisco have looked at the problem themselves and have only come up with segmenting the network that again gives weight to the faulty hardware theory. Out of interest how many nodes are on the network? Best practice is not more than 250.
0
 
ideaoneAuthor Commented:
thanks for the link...spanning tree is enabled.  I have been working with only 2 switches.  I have tried to capture the mac address on the other switch, but I never know when it is going to flap which could be hours between, so it becomes difficult to trace.  thanks for the ideas...right now I'm going to try replacing the SupII as I have already put in way too many hours.
0
 
harbor235Commented:

Look at the causes of your doc fileinster, he has alredy stated that he is not seeing high utilizations which are indictitive of spanning-tree loops, also high cpu utilization, tons of multicast traffic etc ...
I have seen many a span tree loop and if ideaone is reporting  the symtoms correctly this is not a spanning tree loop.

Just my 2 cents

harbor235 ;}

0
 
fileinsterCommented:
Definitely think replacing the Sup is the way forward then!
0
 
fileinsterCommented:
I think that my suggestion answered the question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.