atom feed8 messages in net.nether.puck.cisco-nspRe: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
FromSent OnAttachments
Jimmy HalimOct 15, 2008 11:51 pm 
zhuifeng0426Oct 15, 2008 11:56 pm 
Ozgur GulerOct 16, 2008 1:54 am 
Wyatt Mattias GyllenvargOct 16, 2008 3:26 am 
Church, CharlesOct 16, 2008 3:56 am 
Allan EisingOct 16, 2008 4:27 am 
Michael FoxOct 16, 2008 10:19 am 
Dale ShawOct 16, 2008 12:59 pm 
Subject:Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
From:Michael Fox (mich@gmail.com)
Date:Oct 16, 2008 10:19:04 am
List:net.nether.puck.cisco-nsp

I have seen this with a Netapp SAN that has NIC teaming configured and no port-channel configured on the switch. I don't know if that applies since it is flapping between Fa and Gi. Unless someone just plugged it in the wrong port.

Michael

-----Original Message----- From: Allan Eising <alla@gmail.com> To: Church, Charles <cchu@harris.com> Cc: cisc@puck.nether.net Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF Date: Thu, 16 Oct 2008 13:27:39 +0200

I've seen this trap a few times, and it can mean a lot of things depending on the service being provided over the vlan. In my experience, it can happen in large layer-2 service provider networks, where a vlan will carry a customer point-to-point link, and two links are bundled outside of your layer-2 network.

If you are providing layer-2 circuits through these vlans, it would indicate that your vlans 402 and 403 are bundled by the end user and load-sharing is performed between the two links. If spanning-tree takes these two vlans through different paths, it could confuse the CAM table, and make it see that mac address coming from two different ports thus giving you an error like this. This mostly happens in larger layer-2 service provider networks.

Does this make sense to you?

On Thu, Oct 16, 2008 at 12:56 PM, Church, Charles <cchu@harris.com> wrote:

Sounds like an attempt at a man in the middle attack, where an infected host attempts to act as the gateway to see all the network traffic, analyze it, then forward it to the real gateway. Definitely not a good thing.

-----Original Message----- From: cisc@puck.nether.net [mailto:cisc@puck.nether.net] On Behalf Of Wyatt Mattias Gyllenvarg Sent: Thursday, October 16, 2008 6:27 AM To: Ozgur Guler; cisc@puck.nether.net Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF

Hi all

We have seen 3 instances of this the last days where a host (probably infected with a virus) has been broadcasting the mac of the local GW.

Effectivly switching alla outbound traffic too his port.

Fix has been too shutdown the offending port.

So far this has only effected older setups.

//Mattias Gyllenvarg

2008/10/16 Ozgur Guler <gule@yahoo.co.uk>:

"no mac address-table notification mac-move" might help.

--- On Thu, 16/10/08, Jimmy Halim <jim@pacnet.net> wrote: From: Jimmy Halim <jim@pacnet.net> Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF To: cisc@puck.nether.net Date: Thursday, 16 October, 2008, 7:51 AM

Hi guys,

Recently I am getting the following log messages every 2 mins on the 3750 switch.

Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 403 is flapping between port Fa1/0/3 and port Gi1/0/1 Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1

This is non service impacting so far. However, I would like to know whether we can disable this logging or not. Anyone has any suggestions?

Many Thanks, Jimmy