Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nexus 7018: VLAN Hopping OR N7K Issue ?!

Hello everybody,

This is a very strange issue, one data center of my company has a pair of Nexus 7018 with vPC enabled.

And there are more than 9k mac addresses in each chassis.

N7K-2# show mac address-table count

MAC Entries for all vlans :

Dynamic Address Count:                 9927

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

Someday, I found the mac-addr count increased about double size of normal, and the new mac addresses dispeared after few hours.

N7K-2# show mac address-table count

MAC Entries for all vlans :

Dynamic Address Count:                16389

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

And a lots of mac addresses was appended to vlan 1 while this happening.

But we didn't put any server in vlan 1!

INT_YF_N7K-2# show mac address-table

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

......

* 1        1003.73f1.e705    dynamic   300        F    F  Po103

* 1        10fe.b5d9.b283    dynamic   1380       F    F  Po103

* 1        147e.b5d9.b1a9    dynamic   360        F    F  Po103

* 1        147e.b5d9.b281    dynamic   300        F    F  Po103

* 1        14fa.b5d8.466d    dynamic   300        F    F  Po103

* 1        14fc.b5d8.45cb    dynamic   270        F    F  Po103

* 1        14fe.a5d8.4601    dynamic   1380       F    F  Po103

* 1        14fe.a5d9.b1a9    dynamic   360        F    F  Po103

* 1        14fe.b4d9.b20c    dynamic   330        F    F  Po103

* 1        14fe.b4d9.b281    dynamic   240        F    F  Po103

* 1        14fe.b558.4601    dynamic   270        F    F  Po103

* 1        14fe.b599.b1a9    dynamic   1380       F    F  Po103

* 1        14fe.b5d8.06e2    dynamic   240        F    F  Po103

* 1        14fe.b5d8.4201    dynamic   270        F    F  Po103

* 1        14fe.b5d8.446d    dynamic   330        F    F  Po103

* 1        14fe.b5d8.45cb    dynamic   300        F    F  Po103

......

N7K-2# show mac address-table count vlan 1

MAC Entries for all vlans :

Dynamic Address Count:                  996

Static Address (User-defined) Count:      0

Secure Address Count:                     0

N7K-2#

It seems all mac addresses come from port-channel 103 which connects a N5K, but most of the mac addresses couldn't be found in the N5K, in other words the mac-address-table was incorrect.

The Cisco TAC told me it's maybe a VLAN hopping attack, but I didn't find any abnormal ethernet frame in tcpdump data files that captured from SPAN.

Can anybody help me?

Thanks

Dayong

Everyone's tags (7)
1 REPLY
New Member

Nexus 7018: VLAN Hopping OR N7K Issue ?!

Hi,

which code are you running on your N7k?

regards,

    Dirk

regards, Dirk (Please rate if helpful)
689
Views
0
Helpful
1
Replies
CreatePlease login to create content