cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7956
Views
5
Helpful
9
Replies

Prevention for MACFLAP?

David Kondicz
Level 1
Level 1

Hi all,

i just nned to know is is there any way to prevent network from MACflap.

The best way will be when switch will disable the interface where the macflap was detected.

I need to set this security feature on 2960s.

Thanx a lot

BR

Dave

9 Replies 9

rsimoni
Cisco Employee
Cisco Employee

Hi Dave,

what you write is not realistic. When a given MAC address is flapping it means that traffic coming from that host has changed path. If this is the case likely many switches along the path have detected such change. It does not make any sense that all switches disable ports which sees such flapping. Moreover which port is the right one to be shut? The first that learned it or  the second one? It could be that a port is the one connected to the upper layer (distribution or core); if a switch shuts that down it basically gets isolated from the rest of the network.

Also, sometime mac flapping are expected wehn a dual homed device sends from multiple interfaces frames with the same virtual mac address (not recommended, but this can happen quite easily in every network).

So the best approach is another. A Mac address flapping MAY be the indication of a L2 loop; much better address it from STP perspective putting in place all the measures meant to stop or alleviate the l2 loops effect. Basically those are the STP best practises, a series of feature used for the purpose: root guard, loopguard, bridge assurance, UDLD (not specific to STP but useful for the purpose) etc.

Or move to a network without L2 redundant paths (referring to the varous implamentation of Multi chassis ether channels used by VPC and VSS or new feature such as Fabric Path).

Riccardo

Riccardo Simoni wrote:

Hi Dave,

what you write is not realistic. When a given MAC address is flapping it means that traffic coming from that host has changed path. If this is the case likely many switches along the path have detected such change. It does not make any sense that all switches disable ports which sees such flapping. Moreover which port is the right one to be shut? The first that learned it or  the second one? It could be that a port is the one connected to the upper layer (distribution or core); if a switch shuts that down it basically gets isolated from the rest of the network.

Also, sometime mac flapping are expected wehn a dual homed device sends from multiple interfaces frames with the same virtual mac address (not recommended, but this can happen quite easily in every network).

So the best approach is another. A Mac address flapping MAY be the indication of a L2 loop; much better address it from STP perspective putting in place all the measures meant to stop or alleviate the l2 loops effect. Basically those are the STP best practises, a series of feature used for the purpose: root guard, loopguard, bridge assurance, UDLD (not specific to STP but useful for the purpose) etc.

Or move to a network without L2 redundant paths (referring to the varous implamentation of Multi chassis ether channels used by VPC and VSS or new feature such as Fabric Path).

Riccardo

Well said!

Very nice, thank you!

I need to know this, becouse i see this messages is some enduser directly connected to acces switch have virus in PC.

but thank you very much for response!

BR

Dave

I need to know this, becouse i see this messages is some enduser directly connected to acces switch have virus in PC.

Virus on PC causing MAC flapping? Can you please elaborate as I never heard of these tipes of attacks?

Riccardo

Leo Laohoo
Hall of Fame
Hall of Fame

The only time I've seen MAC flapping is when Etherchannel is not configured properly or someone's plugged two server interfaces into two different logical/physical switches.

  We see this when the server guys dont do their  teaming correctly.  They keep both interfaces active , makes it flap like crazy.

We see this when the server guys dont do their  teaming correctly.

And when this happens, what is the first thing the server guys say? 

"It's a network issue." 

i also can can tell you that if you have two devices connected to the same vlan thy could have the same mac address this is why you should never clone mac address . On your devices thy could end up with the same address, that was my problem ! easy fix but it was my misstake

LOL..... totally agree with this

Infrastructure engineers are notorious for blaming everything on networks, usually after they have rolled out a patch or upgraded their servers that have for some reason messed up the teaming/LB method which has caused unnecessary interface flaps....result "NETWORK ISSUE"


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card