![use mac address flooding attack cisco use mac address flooding attack cisco](https://i.ytimg.com/vi/2YCn8PdoBzI/maxresdefault.jpg)
![use mac address flooding attack cisco use mac address flooding attack cisco](https://hot-town-images.s3.us-east-1.amazonaws.com/kwtv/production/2015/June/18/odot-monitoring-flooding-highway-closures.1434627156000.jpeg)
![use mac address flooding attack cisco use mac address flooding attack cisco](https://www.cisco.com/c/dam/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/images/4888-1-v0.png)
It's hard to find where the offenders are (suppose you find two or "Since you're getting a large number of MAC flaps between switchports, Will give mac-address-table notification a go, and see if we can find any patterns.We do not use switchport nonnegotiate at the moment on access port, but we are not getting any Vlan hopping attack bouncing across multitple Vlans.We have used spanning-tree portfast with in conjunction with spanning-tree bpduguard by default on all access ports (desktop machines).Common reason is we constantly move computers around (college environment). Port security has been looked into, unfortunately management has decided not to use this for various reasons.I completely agree with not being 100% sure finding all redundant links and unknown switches on the network, but as best of our finding, this this is the case until we find further evidence.Using Arpwatch is definitely something we can try but i suspect because several access port is registering mac address even though it doesn't belong to this port, the conclusion of arpwatch may not be useful.I personally also agree with majority, whereby the broadcast domain is far too big. However, we do intend to split this up in the future but unfortunately this issue occured before we could do this. We are now at a stage, where we will require huge amount of downtime to isolate each area at a time unless anyone else has some ideas to identify the source or root cause of this weird and bizarre issue. IPv4 policy based routing aces: 452/452 12/12 IPv4 unicast indirectly-connected routes: 2048/2048 77/77 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 Ran show mac address-table on different switches and core itself (on the core, for example, plugged by desktop directly, my desktop ), and we can see the several different MAC hardware address being registered to the interface, even though that interface has only one computer attached to this:.sh mac address-table count, shows us approx 750 different mac addresses as expected on vlan 1.ĬPU utilization for five seconds: 99%/12% one minute: 99% five minutes: 99%.Have ran different AV/ malware/ spyware, but no viruses visible on the network.For test purpose, we put approx 80 desktop machines different vlan, however we tested this and made no visible difference to high cpu or arp input.Wiresharks shows that 100s of computers are flooding the network with ARP Broadcast.Huge number of ARP packets, rapidly increasing and visible.We verified the STP was functioning correctly on the edge switches. We used show interfaces | inc line|broadcast to figure out where the large number of broadcast coming from, however both Cisco TAC and 2 other engineers(CCNP & CCIE) confirmed this is normal behaviour due to what is happening on the network (as in large number of mac flaps causing the larger broadcast).Cannot use dynamic arp inspection on edge switches because these are 2950.No new switches been added (at least none we know of).We have the default ARP timeout on majority of the switches.Configuration on the core has been verified Cisco TAC.Spanning tree has been verified by Cisco TAC & CCNP/CCIE qualified individuals.Wifi, management, printers etc are all on different VLAN.Cisco TAC said they don't see anything wrong with using /20, other then we'd have a large broadcast domain but should still function.We see large broadcast packets from VLAN 1, VLAN 1 used for desktop devices.Cisco TAC confirms no known issues for high cpu or ARP bugs for this particular version. We use 3750x switches, 4 in one stack.We have stripped the network down to a single link no redundancy setup, think of it as a star topology. The original issue has been posted on INE Online Community Currently we have Cisco TAC looking at the case but they are struggling to find the root cause.Īlthough the title mentions ARP broadcast and high CPU usage, we are unsure if they are related or unrelated at this stage.
![use mac address flooding attack cisco use mac address flooding attack cisco](https://linuxhint.com/wp-content/uploads/2021/07/image1-38.png)
Hoping someone here might have some insight to the issue we are facing.