Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
1
Replies

Nexus 7018: VLAN Hopping OR N7K Issue ?!

wandering_997
Level 1
Level 1

‎07-30-2012 12:36 AM

Hello everybody,

This is a very strange issue, one data center of my company has a pair of Nexus 7018 with vPC enabled.

And there are more than 9k mac addresses in each chassis.

N7K-2# show mac address-table count

MAC Entries for all vlans :

Dynamic Address Count:                 9927

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

Someday, I found the mac-addr count increased about double size of normal, and the new mac addresses dispeared after few hours.

N7K-2# show mac address-table count

MAC Entries for all vlans :

Dynamic Address Count:                16389

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

And a lots of mac addresses was appended to vlan 1 while this happening.

But we didn't put any server in vlan 1!

INT_YF_N7K-2# show mac address-table

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

......

* 1        1003.73f1.e705    dynamic   300        F    F  Po103

* 1        10fe.b5d9.b283    dynamic   1380       F    F  Po103

* 1        147e.b5d9.b1a9    dynamic   360        F    F  Po103

* 1        147e.b5d9.b281    dynamic   300        F    F  Po103

* 1        14fa.b5d8.466d    dynamic   300        F    F  Po103

* 1        14fc.b5d8.45cb    dynamic   270        F    F  Po103

* 1        14fe.a5d8.4601    dynamic   1380       F    F  Po103

* 1        14fe.a5d9.b1a9    dynamic   360        F    F  Po103

* 1        14fe.b4d9.b20c    dynamic   330        F    F  Po103

* 1        14fe.b4d9.b281    dynamic   240        F    F  Po103

* 1        14fe.b558.4601    dynamic   270        F    F  Po103

* 1        14fe.b599.b1a9    dynamic   1380       F    F  Po103

* 1        14fe.b5d8.06e2    dynamic   240        F    F  Po103

* 1        14fe.b5d8.4201    dynamic   270        F    F  Po103

* 1        14fe.b5d8.446d    dynamic   330        F    F  Po103

* 1        14fe.b5d8.45cb    dynamic   300        F    F  Po103

......

N7K-2# show mac address-table count vlan 1

MAC Entries for all vlans :

Dynamic Address Count:                  996

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

It seems all mac addresses come from port-channel 103 which connects a N5K, but most of the mac addresses couldn't be found in the N5K, in other words the mac-address-table was incorrect.

The Cisco TAC told me it's maybe a VLAN hopping attack, but I didn't find any abnormal ethernet frame in tcpdump data files that captured from SPAN.

Can anybody help me?

Thanks

Dayong

Labels:
0 Helpful
1 Reply 1

Dirk Woellhaf
Level 1
Level 1

‎07-31-2012 03:43 AM

Hi,

which code are you running on your N7k?

regards,

    Dirk

regards, Dirk (Please rate if helpful)
0 Helpful
Customers Also Viewed These Support Documents