MAC Move messages explained

Overview to better understand MAC Move messages and how to troubleshoot them

Home / Posts / MAC Move messages explained

What are MAC Move messages in the syslog?

Maybe you ever saw them, the dreaded MAC x.x.x in vlan y has moved from Port 1 to Port 2.

This is never a good sign and means that there is a misbehaving device in the network. It means that the switch learns/sees the same MAC address on two different ports and therefore isn’t sure which information is the correct one.

Both Devices are using the same MAC Address

This is not a valid network setup and the switch will forward the traffic sometimes to Device 1 and sometimes to Device 2. Depending on the platform the switch will stop learning MAC Addresses for the affected VLAN for a period of time and then re-enables the learning in the hope that the situation has cleaned up.

On some Nexus 9000 Switches we had some messages in the log that exactly showed this issue.

1
2
switch# 2022 Oct  5 09:47:57 switch %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN: Re-enabling learning in vlan 2100
2022 Oct  5 09:48:04 switch %L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN: Disabling learning in vlan 2100 for 120s due to too many mac moves

This means that there were too many MAC flaps in VLAN 2100 and the switch then disabled learning for 2 minutes. Now there is one big issue with the output, we are missing the Port and MAC Address information.

How to see the port where the MAC Move occurs?

You saw in the log that there were some MAC Moves ongoing, but you are not sure what causes them. There is a command to show also the Port & MAC Address information to better understand where exactly the Move occurs.

The command depends on the Platform (as always :))

Cisco IOS

To see more information on classic IOS based devices, use the mac address table notification mac-move command. With the no version, you can disable it again.

Nexus 3000, 4000, 5000 and 6000

On the Nexus 3000, 4000, 5000 and 6000 you need multiple commands to enable the detailed MAC Move information.

1
2
3
mac address table notification mac-move 
logging level fwm 6 
logging monitor 6

Nexus 7000 and 9000

To enable the detailed information about the MAC Move on the Nexus 7000 and 9000, it’s just a single command.

1
logging level l2fm 5

Output when detailed information is enabled

After you followed the steps above for your platform to enable the detailed output, you should now see something like this in the log.

1
2
2022 Oct  5 10:01:20 N7K-1 %L2FM-4-L2FM_MAC_MOVE: Mac x.x.x in vlan 2100 has moved from Port1 to Port2
2022 Oct  5 10:01:21 N7K-1 %L2FM-4-L2FM_MAC_MOVE: Mac x.x.x in vlan 2100 has moved from Port2 to Port1
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy