MAC address flapping

MAC address flapping occurs when a switch sees the same MAC address being used on multiple switch ports. This results in the MAC address entry in the MAC address table continually changing from port to port.

When this occurs, a syslog message similar to the following will appear:

Jun 1 14:09:00 MDT: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5677.5e11 in vlan 200 is flapping between port Gi1/0/20 and port Gi1/0/17

MAC address flapping is an undesirable phenomenon that can occur due to any of the following:

  1. Two devices have the same MAC address due to an error by the manufacturer. This is an extremely unlikely, but not unheard of event.
  2. A MAC address table poisoning attack is taking place. In an attempt to flood the switch's memory and to overwhelm both memory and CPU resources, an attacker can spoof MAC addresses to cause such behavior.
  3. A Layer 2 loop was created due to a malfunction or misconfiguration of Spanning Tree Protocol (STP).
  4. If a wireless client roams from one access point to another, you may see MAC address flapping Syslog messages appear on the switches serving those access points. However, this is considered normal behavior and should not be concerning, unless the frequency of the flapping is unusually high.