cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
2949
Views
5
Helpful
7
Replies
David Kondicz
Beginner

Prevention for MACFLAP?

Hi all,

i just nned to know is is there any way to prevent network from MACflap.

The best way will be when switch will disable the interface where the macflap was detected.

I need to set this security feature on 2960s.

Thanx a lot

BR

Dave

7 REPLIES 7
rsimoni
Cisco Employee

Hi Dave,

what you write is not realistic. When a given MAC address is flapping it means that traffic coming from that host has changed path. If this is the case likely many switches along the path have detected such change. It does not make any sense that all switches disable ports which sees such flapping. Moreover which port is the right one to be shut? The first that learned it or  the second one? It could be that a port is the one connected to the upper layer (distribution or core); if a switch shuts that down it basically gets isolated from the rest of the network.

Also, sometime mac flapping are expected wehn a dual homed device sends from multiple interfaces frames with the same virtual mac address (not recommended, but this can happen quite easily in every network).

So the best approach is another. A Mac address flapping MAY be the indication of a L2 loop; much better address it from STP perspective putting in place all the measures meant to stop or alleviate the l2 loops effect. Basically those are the STP best practises, a series of feature used for the purpose: root guard, loopguard, bridge assurance, UDLD (not specific to STP but useful for the purpose) etc.

Or move to a network without L2 redundant paths (referring to the varous implamentation of Multi chassis ether channels used by VPC and VSS or new feature such as Fabric Path).

Riccardo

Riccardo Simoni wrote:

Hi Dave,

what you write is not realistic. When a given MAC address is flapping it means that traffic coming from that host has changed path. If this is the case likely many switches along the path have detected such change. It does not make any sense that all switches disable ports which sees such flapping. Moreover which port is the right one to be shut? The first that learned it or  the second one? It could be that a port is the one connected to the upper layer (distribution or core); if a switch shuts that down it basically gets isolated from the rest of the network.

Also, sometime mac flapping are expected wehn a dual homed device sends from multiple interfaces frames with the same virtual mac address (not recommended, but this can happen quite easily in every network).

So the best approach is another. A Mac address flapping MAY be the indication of a L2 loop; much better address it from STP perspective putting in place all the measures meant to stop or alleviate the l2 loops effect. Basically those are the STP best practises, a series of feature used for the purpose: root guard, loopguard, bridge assurance, UDLD (not specific to STP but useful for the purpose) etc.

Or move to a network without L2 redundant paths (referring to the varous implamentation of Multi chassis ether channels used by VPC and VSS or new feature such as Fabric Path).

Riccardo

Well said!

Very nice, thank you!

I need to know this, becouse i see this messages is some enduser directly connected to acces switch have virus in PC.

but thank you very much for response!

BR

Dave

I need to know this, becouse i see this messages is some enduser directly connected to acces switch have virus in PC.

Virus on PC causing MAC flapping? Can you please elaborate as I never heard of these tipes of attacks?

Riccardo

Leo Laohoo
VIP Community Legend

The only time I've seen MAC flapping is when Etherchannel is not configured properly or someone's plugged two server interfaces into two different logical/physical switches.

  We see this when the server guys dont do their  teaming correctly.  They keep both interfaces active , makes it flap like crazy.

Leo Laohoo
VIP Community Legend

We see this when the server guys dont do their  teaming correctly.

And when this happens, what is the first thing the server guys say? 

"It's a network issue."