07-30-2012 12:36 AM
Hello everybody,
This is a very strange issue, one data center of my company has a pair of Nexus 7018 with vPC enabled.
And there are more than 9k mac addresses in each chassis.
N7K-2# show mac address-table count
MAC Entries for all vlans :
Dynamic Address Count: 9927
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
Someday, I found the mac-addr count increased about double size of normal, and the new mac addresses dispeared after few hours.
N7K-2# show mac address-table count
MAC Entries for all vlans :
Dynamic Address Count: 16389
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
And a lots of mac addresses was appended to vlan 1 while this happening.
But we didn't put any server in vlan 1!
INT_YF_N7K-2# show mac address-table
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
......
* 1 1003.73f1.e705 dynamic 300 F F Po103
* 1 10fe.b5d9.b283 dynamic 1380 F F Po103
* 1 147e.b5d9.b1a9 dynamic 360 F F Po103
* 1 147e.b5d9.b281 dynamic 300 F F Po103
* 1 14fa.b5d8.466d dynamic 300 F F Po103
* 1 14fc.b5d8.45cb dynamic 270 F F Po103
* 1 14fe.a5d8.4601 dynamic 1380 F F Po103
* 1 14fe.a5d9.b1a9 dynamic 360 F F Po103
* 1 14fe.b4d9.b20c dynamic 330 F F Po103
* 1 14fe.b4d9.b281 dynamic 240 F F Po103
* 1 14fe.b558.4601 dynamic 270 F F Po103
* 1 14fe.b599.b1a9 dynamic 1380 F F Po103
* 1 14fe.b5d8.06e2 dynamic 240 F F Po103
* 1 14fe.b5d8.4201 dynamic 270 F F Po103
* 1 14fe.b5d8.446d dynamic 330 F F Po103
* 1 14fe.b5d8.45cb dynamic 300 F F Po103
......
N7K-2# show mac address-table count vlan 1
MAC Entries for all vlans :
Dynamic Address Count: 996
Static Address (User-defined) Count: 0
Secure Address Count: 0
N7K-2#
It seems all mac addresses come from port-channel 103 which connects a N5K, but most of the mac addresses couldn't be found in the N5K, in other words the mac-address-table was incorrect.
The Cisco TAC told me it's maybe a VLAN hopping attack, but I didn't find any abnormal ethernet frame in tcpdump data files that captured from SPAN.
Can anybody help me?
Thanks
Dayong
07-31-2012 03:43 AM
Hi,
which code are you running on your N7k?
regards,
Dirk
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: