07-30-2012 12:36 AM
Hello everybody,
This is a very strange issue, one data center of my company has a pair of Nexus 7018 with vPC enabled.
And there are more than 9k mac addresses in each chassis.
N7K-2# show mac address-table count
MAC Entries for all vlans :
Dynamic Address Count: 9927
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
Someday, I found the mac-addr count increased about double size of normal, and the new mac addresses dispeared after few hours.
N7K-2# show mac address-table count
MAC Entries for all vlans :
Dynamic Address Count: 16389
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
And a lots of mac addresses was appended to vlan 1 while this happening.
But we didn't put any server in vlan 1!
INT_YF_N7K-2# show mac address-table
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
......
* 1 1003.73f1.e705 dynamic 300 F F Po103
* 1 10fe.b5d9.b283 dynamic 1380 F F Po103
* 1 147e.b5d9.b1a9 dynamic 360 F F Po103
* 1 147e.b5d9.b281 dynamic 300 F F Po103
* 1 14fa.b5d8.466d dynamic 300 F F Po103
* 1 14fc.b5d8.45cb dynamic 270 F F Po103
* 1 14fe.a5d8.4601 dynamic 1380 F F Po103
* 1 14fe.a5d9.b1a9 dynamic 360 F F Po103
* 1 14fe.b4d9.b20c dynamic 330 F F Po103
* 1 14fe.b4d9.b281 dynamic 240 F F Po103
* 1 14fe.b558.4601 dynamic 270 F F Po103
* 1 14fe.b599.b1a9 dynamic 1380 F F Po103
* 1 14fe.b5d8.06e2 dynamic 240 F F Po103
* 1 14fe.b5d8.4201 dynamic 270 F F Po103
* 1 14fe.b5d8.446d dynamic 330 F F Po103
* 1 14fe.b5d8.45cb dynamic 300 F F Po103
......
N7K-2# show mac address-table count vlan 1
MAC Entries for all vlans :
Dynamic Address Count: 996
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
It seems all mac addresses come from port-channel 103 which connects a N5K, but most of the mac addresses couldn't be found in the N5K, in other words the mac-address-table was incorrect.
The Cisco TAC told me it's maybe a VLAN hopping attack, but I didn't find any abnormal ethernet frame in tcpdump data files that captured from SPAN.
Can anybody help me?
Thanks
Dayong
07-31-2012 03:43 AM
Hi,
which code are you running on your N7k?
regards,
Dirk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide