Overview
MAC flapping occurs when a switch detects the same MAC address moving repeatedly between two or more ports within a short period of time.
Purpose of This Section
This section defines what the issue is and why it is important to detect it early in a network environment.
A switch normally learns which MAC address belongs to which port and stores this mapping in its MAC address table. When the same MAC address rapidly appears on multiple ports, the switch continuously updates the table, which indicates abnormal Layer-2 behaviour.
This usually indicates:
A physical loop
Mispatched cable
Unmanaged switch loop
Dual uplinks without proper configuration
Faulty NIC behaviour
These conditions create confusion in the switch forwarding table, resulting in unstable traffic forwarding.
MAC flapping can cause:
Intermittent device disconnections – devices may appear online and offline repeatedly.
POS transaction failures – payment devices may lose connectivity during transactions.
Broadcast instability – excessive broadcast traffic can affect the entire LAN segment.
What is MAC Flapping? (Simple Explanation)
This section explains the concept in simple operational terms, helping technicians quickly understand what the switch is detecting.
Every network device has a unique MAC address.
A switch learns device locations using traffic observations.
Example learning process:
Switch records:
“MAC A is on Port 5.”
If suddenly the same MAC address appears on another port:
“MAC A is on Port 8.”
Then traffic again appears on Port 5 and then Port 8 repeatedly.
The switch logs:
MAC address flapping between ports
Why This is Abnormal
In a stable network, a device should remain connected to one switch port only.
When a MAC address moves rapidly between ports, it indicates:
traffic looping in the network
incorrect cabling
duplicate Layer-2 paths
device malfunction
This behaviour disrupts the switch’s ability to correctly forward traffic.
Technical Background (Layer 2 Behaviour)
This section explains the internal switching mechanism responsible for detecting MAC flapping.
Switches maintain a CAM table (Content Addressable Memory) which stores MAC address mappings.
Entry format:
MAC Address → Port → VLAN → Age Timer
Example:
00:11:22:33:44:55 → Port 5 → VLAN 10 → 300 seconds
How the Switch Learns MAC Addresses
When traffic is received:
The switch reads the source MAC address of unicast, multicast and broadcast frames.
The switch updates its MAC table entry.
The MAC address becomes associated with the incoming port.
Example process:
Frame received from Port 5
→ Switch learns MAC A is on Port 5.Later traffic received from Port 8 with same MAC
→ Switch updates MAC A → Port 8.
What Happens During Flapping
If the same MAC appears rapidly on different ports:
The MAC table keeps updating repeatedly
This causes MAC flapping condition
Frequent updates cause:
Forwarding instability – packets may be sent to wrong ports temporarily.
Unknown unicast flooding – switch floods traffic because MAC location is unstable.
Increased control-plane processing – switch CPU handles frequent table updates.
Common Causes
Physical Loop (Most Common)
Example:
Port 5 → Patch Panel → unmanaged Switch → Patch Panel → Back to Port 8
This creates a Layer-2 loop.
Why This Causes Flapping
Frames entering the loop circulate continuously through the network.
The switch receives the same frame from different ports repeatedly.
Result:
The switch believes the device moved between ports.
This produces continuous MAC table updates.
Unmanaged Switch Added by Customer
Customers sometimes add small unmanaged switches to increase ports.
Example scenario:
Customer connects a 5-port unmanaged switch.
Two uplink cables are connected back to the core switch.
Example:
Core Switch Port 5 → Unmanaged Switch
Core Switch Port 8 → Same Unmanaged Switch
Because unmanaged switches do not support STP (Spanning Tree Protocol):
A Layer-2 loop is created.
This loop causes:
MAC address instability
broadcast storms
MAC flapping events
Symptoms in Production
This section explains how the problem appears in real environments, helping technicians identify the issue quickly.
You may observe:
POS randomly disconnects
Payment terminals lose network connectivity intermittently.Access Point goes offline intermittently
Wireless access points may appear unstable due to network instability.Packet loss spikes
Traffic loss occurs because forwarding tables are unstable.Switch CPU increases
Frequent MAC table updates increase processing load.STP topology change counter rising
The spanning tree algorithm detects frequent topology changes.Log entries showing MAC move events
Switch logs report MAC addresses moving between ports.Intermittent ping drops
Network latency and packet drops occur.
Risk Impact
This section explains the operational impact, particularly in production environments such as restaurants or retail networks.
MAC flapping can lead to major operational disruptions.
In restaurant environments:
Payment delays
POS terminals may fail to complete transactions.Kitchen display disconnect
Order display systems may lose connection.Guest WiFi instability
Customers may experience slow or unreliable WiFi.
These issues directly impact business operations and customer experience.
Detection & Verification
This section outlines how to confirm the issue using logs and physical inspection.
Step 1 – Check Switch Logs from Event logs
Look for entries such as:
“MAC address xxxx moving from port 5 to port 8.”
Purpose:
These logs confirm that the switch is detecting MAC movement between ports.
This is the primary indicator of MAC flapping.
Step 2 – Identify Ports Involved
Determine:
Which two ports are reporting MAC movement?
What devices are connected to those ports?
Is there an unmanaged switch present?
Purpose:
Identifying the affected ports helps locate the physical location of the problem.
Step 3 – Physical Inspection
Inspect the network cabling.
Look for:
patch loops
incorrect patching
multiple uplinks between switches
recently installed devices
Purpose:
Most MAC flapping issues are caused by incorrect physical connections.
Troubleshooting Procedure
Scenario A – Physical Loop
Action:
Disconnect one cable involved in the loop.
Observe if MAC flapping stops.
Preventive configuration:
Enable BPDU Guard on access ports.
Purpose:
This prevents unauthorized switches or loops from forming.
Scenario B – Unmanaged Switch
Action:
Remove the extra uplink cable.
Ensure only one uplink exists.
Recommended improvement:
Replace unmanaged switch with managed switch.
Enable:
Loop protection mechanisms
Purpose:
Managed switches can prevent loops using STP.
Scenario C – Faulty Device
Action:
Replace the NIC
Replace the Ethernet cable
Move the device to a different switch port
Purpose:
This confirms whether the issue originates from device hardware failure.
Escalation Criteria
This section defines when the issue should be escalated to higher-level network teams.
Escalate if:
MAC flapping continues after physical inspection
Multiple VLANs are impacted
Control-plane CPU spikes are observed
STP is not stabilizing
Possible deeper issues include:
firmware bug in the switch
ASIC forwarding anomaly
hardware port instability
These issues require advanced diagnostics or vendor support.
