Re: spanning-tree mac flapping with native vlan changed

gerrit.neyrinck1 · ‎09-03-2018

Hello all,

I'm currently running into some issues and the result is that we have mac-flapping between a port-channel and a normal uplink.

There's one AP connected to the switch using an Etherchannel, and the config is like this:

Switch#show run int P11

Building configuration...

Current configuration : 263 bytes

!

interface Port-channel11

switchport trunk native vlan 55

switchport mode trunk

logging event trunk-status

logging event bundle-status

logging event spanning-tree

logging event status

logging event subif-link-status

spanning-tree portfast edge trunk

end

The members of the port-channel are 2 ports (G1/0/13 - G1/0/14:

Switch#show run int G1/0/13

Building configuration...

Current configuration : 322 bytes

!

interface GigabitEthernet1/0/25

switchport trunk native vlan 55

switchport mode trunk

logging event trunk-status

logging event bundle-status

logging event spanning-tree

logging event status

spanning-tree portfast edge trunk

spanning-tree bpduguard enable

channel-protocol lacp

channel-group 1 mode active

end

Switch#show run int G1/0/26

Building configuration...

Current configuration : 322 bytes

!

interface GigabitEthernet1/0/14

switchport trunk native vlan 55

switchport mode trunk

logging event trunk-status

logging event bundle-status

logging event spanning-tree

logging event status

spanning-tree portfast edge trunk

spanning-tree bpduguard enable

channel-protocol lacp

channel-group 1 mode active

end

The issue starts when you connect the 2nd LAN interface of an Access point to this G1/0/14 interface.

After a couple of minutes, assuming broadcast traffic, things get started and network is deteriorating.

The logs show that there's mac flapping between the port-channel & the uplink to the core switch:

testswitch#show int G1/0/25 etherchannel ~~~~~~~~~
Aug 29 15:12:23.385: %SW_MATM-4-MACFLAP_NOTIF: Host a44c.c891.ea2f in vlan 1 is flapping between port Po11 and port Gi1/0/48
Aug 29 15:12:23.627: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5683.255d in vlan 1 is flapping between port Po11 and port Gi1/0/48
Aug 29 15:12:23.668: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.9a54.f1b9 in vlan 1 is flapping between port Po11 and port Gi1/0/48
Aug 29 15:12:23.668: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.56aa.7656 in vlan 1 is flapping between port Po11 and port Gi1/0/48

It only happens when we change the native vlan of the Access point to be VLAN 55 instead of VLAN1

We need to do this, because otherwise we have other issues with a SSID.

I have configured STP and the root is configured with Prio 0.

I've read that this could be due to misconfiguration with spanning-tree, but I don't see what we've could have configured wrong?

If we try the same setup, use the same etherchannel, between 2 switches, we don't see this issue.

When we don't use the Access Point I mean, the issues don't show.

This would rule out the fact that we might have misconfigured something.

I'm struggling with this for some time now and I'm wondering if this could be a bug or not?

Since you can find somewhat same issues:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut87285/?rfs=iqvred

And we have changed the firmware already a couple of times:

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E5, RELEASE SOFTWARE (fc2)

System image file is "flash:/c2960x-universalk9-mz.152-2.E5/c2960x-universalk9-mz.152-2.E5.bin"

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E6, RELEASE SOFTWARE (fc2)

System image file is "flash:/c2960x-universalk9-mz.152-2.E6/c2960x-universalk9-mz.152-2.E6.bin"

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E7, RELEASE SOFTWARE (fc2)

System image file is "flash:/c2960x-universalk9-mz.152-2.E7/c2960x-universalk9-mz.152-2.E7.bin"

Kind regards,

Gerrit

johnd2310 · ‎09-03-2018

Hi,

How is the access point configured? Is it capwap or autonomous?

Thanks

**Please rate posts you find helpful**

gerrit.neyrinck1 · ‎09-03-2018

It is using capwap, but it's in bridge mode

Silverymoon · ‎09-03-2018

"It only happens when we change the native vlan of the Access point to be VLAN 55 instead of VLAN1."

"Portions of the network which are VLAN-aware (i.e., IEEE 802.1Q conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN."

So if the native vlan of AP port is VLan 55, frames in vlan 55 will be untagged. If another port has a different native vlan, then you can see what is going to happen. You are going to hop to a different vlan. This can also cause a L2 loop (see mac flapping) because (R)STP works within one single vlan and hopping between vlans can create a loop because you can avoid blocking or discarding ports.

Try explicit tagging of the native VLAN on all trunk ports, as this will help troubleshooting. Must be configured on all switches in network autonomy.

Switch(config)# vlan dot1q tag native

"It is very normal on switch to display this mac flapping message if APs are connected to the switch port. The reason for this is due to the fact that switch learns of a particular clients mac from one particular port to which the AP (assume this is AP01)is connected to. Now when the wireless client roam to other AP( assume AP02 which is connected on a different port of same switch where AP01 is connected) the switch will learn that same MAC address on a different port I.e AP02's port and displays the mac flap message." https://community.cisco.com/t5/wireless-and-mobility/mac-flaps-from-wireless-network/td-p/2300795

Also are there overlapping channels (see link above)?

gerrit.neyrinck1 · ‎09-03-2018

Hi

I'm aware of the fact that clients will roam and we should see that message regarding mac moving in the network.

What's not normal is that it's tearing down the network completely due to the broadcast storm we encounter.

I wasn't aware of the native vlan tag option and I was wondering if the AP can work with this to get an IP in this VLAN. I'll give it a try.

Kind regards,

Gerrit

gerrit.neyrinck1 · ‎09-03-2018

Hi,

As I thought this isn't working because the AP needs an untagged vlan to receive an IP adres from DHCP.
since we're tagging this native vlan, we cannot get an IP anymore.

Regards,
Gerrit

gerrit.neyrinck1 · ‎09-03-2018

There are no overlapping channels, we've manually configured one channel for all AP's per radio.

Silverymoon · ‎09-03-2018

Hopefully someone more versed in Wireless can help you.

ITexpert · ‎09-04-2018

If AP is connected with etherchannel, it should be L2 etherchannel you dont need to configure the interface for port channel.

I am not able to understand the config,

If port-channel is configured with these ports (G1/0/13 - G1/0/14) why your config is showing other ports , interface GigabitEthernet1/0/25 -interface GigabitEthernet1/0/26.

By default native vlan is 1, did you setup vlan 55 as native in whole network.

Thanks

gerrit.neyrinck1 · ‎09-04-2018

Hello,

I'm sorry, but some are exhibits from my LAB.

At the customer we're using 1/0/25-26.

We're only using the native VLAN55 on the AP's, no where else.

Because we need an IP out of that VLAN on the AP's to manage the AP's.

Kind regards,

Gerrit

ITexpert · ‎09-04-2018

I setup the same scenario few months ago, I just configure etherchannel and then put these commands,

switchport trunk encapsulation dot1q

switchport mode trunk allowed vlan (vlan which should required by clients)

switchport trunk native vlan (I suggest you to make native vlan same on all trunk ports)

switchport mode trunk

It works without any issues. The DHCP for wireless clients was on WLC and DHCP for AP's was on Microsoft server on that vlan.

Q: Whats the purpose of having Accesspoints in trunk mode.

Q: why you are making vlan 55 native vlan.

Thanks

gerrit.neyrinck1 · ‎09-04-2018

Q: Whats the purpose of having Accesspoints in trunk mode.

When you're using 802.1X radius authentication, you need multiple vlans being able to flow over the Uplinks.

Q: why you are making vlan 55 native vlan.

Because we have a particular issue whilst using native VLAN1.

There's a legacy misconfig and VLAN1 is being used as regular VLAN, it's a /16, meaning a lot of broadcast traffic happening on it.

Forgot to mention we're using bridge mode

Regards,

Gerrit

ITexpert · ‎09-04-2018

Does Bridge mode means, your AP and Wireless clients will be in same subnet.

gerrit.neyrinck1 · ‎09-04-2018

Yes, there's no tunnel to the controller that would treat the rest of the traffic.
There's 5 different VLAN's where users will be redirected to, depending of their A.D. membership.
So we should only be using 5 VLAN's on these trunks, but still this shouldn't be happening.

ITexpert · ‎09-04-2018

OK, i suggest you configure the etherchannel in L2 (without interface port-channel), then refresh the CAM table.