It sounds like the firewalls are operating in an L2/transparent mode based on the context of your reply, but it'd be good to confirm that fact. Specifically, I'm curious whether the Nexus switches are seeing the MAC addresses of downstream servers move, or if it's the MAC addresses of the firewalls themselves move. Particularly, I'd be curious if your firewalls are routing traffic, or if they're L2/transparent. In the context of your scenario, I'd want to hear a few more details (and it may be worth starting your own thread to track this issue). However, if a MAC address moves from Ethernet1/1 to Ethernet1/2, then moves back to Ethernet1/1, that "bouncing back and forth" behavior is what eventually triggers this issue if it happens rapidly enough in a short period of time (which most typically happens with loops). In other words, a MAC address (or a large number of MAC addresses) moving from interface Ethernet1/1 to Ethernet1/2 should not cause this issue. This behavior should only be observed if there's multiple moves that happen rapidly back and forth between two interfaces. These commands are documented in the Nexus 9000 MAC Move Troubleshooting and Preventive Methods Troubleshooting TechNote.
This will help you isolate the issue and determine where the loop may be coming from. This will help you troubleshoot the issue further by identifying which specific MAC addresses are moving, as well as between what two ports the MACs are moving between. When the issue happens again, you should see syslogs similar to the following: 2018 Nov 14 16:04:23.881 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 02e in vlan 741 has moved between Po6 to Eth1/3Ģ018 Nov 14 16:04:23.883 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 02e in vlan 741 has moved between Po6 to Eth1/3
A syslog can expose this information after increasing the logging level for the L2FM (Layer 2 Forwarding Manager) to a level of 5 through the below command: switch# configure terminal When troubleshooting these issues, it can usually be helpful to know which MAC addresses are moving, as well as between which two interfaces the MAC is moving. As a self-protection mechanism, the switch will disable dynamic MAC learning in that VLAN for 120 seconds to reduce the impact the loop has on the switch. This syslog indicates that one or more MACs in a VLAN are rapidly moving between two interfaces, which is typically indicative of a loop.
0 kommentar(er)
