[c-nsp] %SW_MATM-4-MACFLAP_NOTIF

Allan Eising allan.eising at gmail.com
Thu Oct 16 07:27:39 EDT 2008


I've seen this trap a few times, and it can mean a lot of things
depending on the service being provided over the vlan.
In my experience, it can happen in large layer-2 service provider
networks, where a vlan will carry a customer point-to-point link, and
two links are bundled outside of your layer-2 network.

If you are providing layer-2 circuits through these vlans, it would
indicate that your vlans 402 and 403 are bundled by the end user and
load-sharing is performed between the two links. If spanning-tree
takes these two vlans through different paths, it could confuse the
CAM table, and make it see that mac address coming from two different
ports thus giving you an error like this. This mostly happens in
larger layer-2 service provider networks.

Does this make sense to you?

Allan

On Thu, Oct 16, 2008 at 12:56 PM, Church, Charles <cchurc05 at harris.com> wrote:
> Sounds like an attempt at a man in the middle attack, where an infected
> host attempts to act as the gateway to see all the network traffic,
> analyze it, then forward it to the real gateway.  Definitely not a good
> thing.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wyatt Mattias
> Gyllenvarg
> Sent: Thursday, October 16, 2008 6:27 AM
> To: Ozgur Guler; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
>
>
> Hi all
>
> We have seen 3 instances of this the last days where a host (probably
> infected with a virus) has been broadcasting the mac of the local GW.
>
> Effectivly switching alla outbound traffic too his port.
>
> Fix has been too shutdown the offending port.
>
> So far this has only effected older setups.
>
> //Mattias Gyllenvarg
>
>
>
> 2008/10/16 Ozgur Guler <gulerozgur at yahoo.co.uk>:
>>
>> "no mac address-table notification mac-move" might help.
>>
>>
>>
>> --- On Thu, 16/10/08, Jimmy Halim <jimmy at pacnet.net> wrote:
>> From: Jimmy Halim <jimmy at pacnet.net>
>> Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
>> To: cisco-nsp at puck.nether.net
>> Date: Thursday, 16 October, 2008, 7:51 AM
>>
>> Hi guys,
>>
>> Recently I am getting the following log messages every 2 mins on the
> 3750
>> switch.
>>
>> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
> vlan
>> 403 is flapping between port Fa1/0/3 and port Gi1/0/1
>> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
> vlan
>> 402 is flapping between port Fa1/0/2 and port Gi1/0/1
>> Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in
> vlan
>> 402 is flapping between port Fa1/0/2 and port Gi1/0/1
>>
>> This is non service impacting so far. However, I would like to know
> whether
>> we can disable this logging or not. Anyone has any suggestions?
>>
>> Many Thanks,
>> Jimmy
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list