[c-nsp] protecting router MAC addresses

lee.e.rian at census.gov lee.e.rian at census.gov
Wed Oct 13 06:37:31 EDT 2004


Is there some way to prevent the routers' mac address from being learned on
a catalyst 6500 user switch port?

We've had a couple of times recently where Cisco IP phones daisy-chained
together get into a state where they echo frames back to the switch.  Once
that happens the switch learns the router MAC address on the user port &
traffic meant for the router is black-holed.  It finally happened on a
switch running 5.x code & we got a lot of these syslog messages

%EARL-6-MAC_MOVE:Host [00-d0-bc-ed-82-b8] on vlan 130 is flapping between
port [8/21] and port [1/1]
%EARL-6-MAC_MOVE:Host [00-00-0c-07-ac-01] on vlan 858 is flapping between
port [8/21] and port [1/1]
%EARL-6-MAC_MOVE:Host [00-00-0c-07-ac-02] on vlan 130 is flapping between
port [1/2] and port [8/21]
%EARL-6-MAC_MOVE:Host [00-00-0c-07-ac-02] on vlan 130 is flapping between
port [8/21] and port [1/2]
%EARL-6-MAC_MOVE:Host [00-30-b6-38-d9-a4] on vlan 130 is flapping between
port [8/21] and port [1/2]
%EARL-6-MAC_MOVE:Host [00-30-b6-38-d9-a4] on vlan 858 is flapping between
port [8/21] and port [1/2]
      <.. much more snipped ..>


The access layer switch has uplinks to two distribution layer switch/msfcs
and the two MSFCs are doing HSRP.  It seems like port security won't work
for us in this situation because the HSRP MAC address could be coming in on
port 1/1 or 1/2 of the access switch.  Am I missing something with port
security or is there some other way to prevent the routers MAC address from
being learned anywhere except for ports 1/1 and 1/2?

Thanks,
Lee




More information about the cisco-nsp mailing list