Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
It's when a switch sees the same source MAC on two or more ports, constantly rewriting its MAC table - often signaling a Layer 2 loop or spoofing attack.
MAC Flapping Definition: It's when a switch sees the same source MAC on two or more ports, constantly rewriting its MAC table - often signaling a Layer 2 loop or spoofing attack.
MAC flapping occurs when a network switch repeatedly learns the same source MAC address on different ports within a short window, forcing it to constantly overwrite that entry in its MAC address (CAM) table. The instability points to either a Layer 2 forwarding loop or a host spoofing another device's address.
A switch builds its MAC table by recording the source MAC and ingress port of every frame. Normally each MAC lives behind one port. When frames from the same MAC arrive on multiple ports, the switch flips the table entry back and forth (the "flap"). Most platforms log this explicitly - for example, a Cisco IOS "%SW_MATM-4-MACFLAP_NOTIF" message naming the MAC, VLAN, and contending ports. Common causes are missing or misconfigured Spanning Tree Protocol, redundant cabling, or a duplicated MAC.
For security and reliability, flapping matters because it degrades forwarding (frames get sent toward the wrong port, causing drops and latency) and can mask an attack. An adversary spoofing a gateway or server MAC to intercept traffic produces flapping as the legitimate and rogue devices compete for the same address. Treating every flap as benign cabling risks ignoring active MAC spoofing or a loop that can collapse the broadcast domain.
For example, a technician patches a wall jack into two access ports for redundancy without STP or PortFast loop guard. The switch sees the connected laptop's MAC alternate between ports every few milliseconds, the CAM table thrashes, and users on that VLAN experience intermittent connectivity. The switch logs continuous MACFLAP notifications until the duplicate uplink is removed or STP blocks the redundant path, restoring a single stable forwarding entry for that MAC.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →