[c-nsp] Spanning VRFs and seeing my own MAC address on a 4948
Sam Stickland
sam_mailinglists at spacething.org
Tue Aug 5 06:30:40 EDT 2008
Hi,
We have a pair of 4948s and some DDOS devices configured in this
topology (this is an inheritated design btw!):
SW1 SVI ---VLANA-- SW2 SVI
| |
DDOS Std DDOS Act
| |
SW1 (L2) --VLANB-- SW2 (L2)
X |
| |
Inside ----VLANB--- Inside
The Standby DDOS device does not pass traffic, but VLANs A and B are
effectively bridged by the Active DDOS device on the right.
The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they
provide a HSRP address that the inside network has a default pointing
towards.
The CPU on the active side (SW2) is pegged at 99% and it's all in host
learning. The log buffer reports:
Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE:
(Suppressed 61591949 times)Packet received with my own MAC address
(X:X:X:X:X:X) as source on port Gix/y in vlan B
(Gix/y connects to the inside port on the DDOS appliance).
I believe this is because the switches MAC tables aren't VRF aware and
the only way to solve the CPU problem is to use physically seperate
switches: i.e. replace the L2 portions in the diagram with separate L2
switches.
Is my thinking correct? Is their another way?
Thanks,
Sam
More information about the cisco-nsp
mailing list