What is MAC Flapping

MAC flapping occurs when a network switch receives packets from the same MAC address on different ports. This triggers the switch to constantly update its MAC address table, as it cannot determine which port the device is actually connected to. The consequence is network instability, including intermittent connectivity, high CPU usage on switches, broadcast storms, or even full-blown outages.

Imagine a situation where a person keeps showing up at two different doorsteps every few seconds. You’d be confused about where they actually live. The switch experiences a similar confusion about where the MAC address really belongs.

Common Causes of MAC Flapping

1. Layer 2 loops due to lack of Spanning Tree Protocol (STP):

When physical loops exist in the network and STP is disabled or misconfigured, broadcast and unknown unicast traffic can endlessly circulate through the loop. As these packets traverse different switch ports, the MAC address table keeps getting updated with conflicting port information, resulting in flapping.

2. Incorrect link aggregation or dual-homing configurations:

Devices such as servers with dual network interfaces connected to two different switches may cause MAC flapping if link aggregation protocols like LACP are not properly configured. The switch sees the same MAC address from two different directions.

3. Improperly connected switches without link aggregation:

When multiple physical connections are made between switches without configuring link aggregation, the same MAC address can appear on multiple interfaces, leading to constant learning and re-learning of the address.

4. Virtual machine migration in virtualized environments:

When a virtual machine migrates between hypervisors or hosts, its MAC address may briefly appear on two different switch ports. If the switch is not updated quickly enough, MAC flapping can occur. This is especially common in environments using VMware vMotion or similar technologies.

5. Malicious activity or misconfigured devices:

Network attacks such as MAC flooding or ARP spoofing can intentionally cause MAC flapping to disrupt the network. Similarly, a faulty network card or misconfigured device can inadvertently send frames with inconsistent source MAC addresses.

How to Detect MAC Flapping

Network devices usually generate logs or alerts when MAC flapping is detected. On Cisco devices, the following commands can be used:

show mac address-table | include <MAC>
show logging | include MACFLAP_NOTIF

Network monitoring tools can also provide real-time alerts for MAC movement across interfaces.

How to Resolve MAC Flapping

To address MAC flapping, the first step is to identify the root cause. If the issue is due to physical loops, ensure that Spanning Tree Protocol is correctly configured. For server connections, verify that link aggregation is properly implemented and consistent across devices. In virtual environments, ensure that MAC address updates are synchronized and that port security does not block legitimate changes. If the cause is an attack, implement security measures such as port security, dynamic ARP inspection, and MAC limiting to contain the threat.