[c-nsp] %SW_MATM-4-MACFLAP_NOTIF

Church, Charles cchurc05 at harris.com
Thu Oct 16 06:56:23 EDT 2008


Sounds like an attempt at a man in the middle attack, where an infected
host attempts to act as the gateway to see all the network traffic,
analyze it, then forward it to the real gateway.  Definitely not a good
thing. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wyatt Mattias
Gyllenvarg
Sent: Thursday, October 16, 2008 6:27 AM
To: Ozgur Guler; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF


Hi all

We have seen 3 instances of this the last days where a host (probably
infected with a virus) has been broadcasting the mac of the local GW.

Effectivly switching alla outbound traffic too his port.

Fix has been too shutdown the offending port.

So far this has only effected older setups.

//Mattias Gyllenvarg



2008/10/16 Ozgur Guler <gulerozgur at yahoo.co.uk>:
>
> "no mac address-table notification mac-move" might help.
>
>
>
> --- On Thu, 16/10/08, Jimmy Halim <jimmy at pacnet.net> wrote:
> From: Jimmy Halim <jimmy at pacnet.net>
> Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
> To: cisco-nsp at puck.nether.net
> Date: Thursday, 16 October, 2008, 7:51 AM
>
> Hi guys,
>
> Recently I am getting the following log messages every 2 mins on the
3750
> switch.
>
> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
vlan
> 403 is flapping between port Fa1/0/3 and port Gi1/0/1
> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
vlan
> 402 is flapping between port Fa1/0/2 and port Gi1/0/1
> Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
vlan
> 402 is flapping between port Fa1/0/2 and port Gi1/0/1
>
> This is non service impacting so far. However, I would like to know
whether
> we can disable this logging or not. Anyone has any suggestions?
>
> Many Thanks,
> Jimmy
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list