[c-nsp] Spanning VRFs and seeing my own MAC address on a 4948

Phil Mayers p.mayers at imperial.ac.uk
Tue Aug 5 07:12:46 EDT 2008


Sam Stickland wrote:
> Hi,
> 
> We have a pair of 4948s and some DDOS devices configured in this 
> topology (this is an inheritated design btw!):
> 
> SW1 SVI ---VLANA-- SW2 SVI
>  |                  |
> DDOS Std          DDOS Act
>  |                  |
> SW1 (L2) --VLANB-- SW2 (L2)
>  X                  |
>  |                  |
> Inside ----VLANB--- Inside
> 
> The Standby DDOS device does not pass traffic, but VLANs A and B are 
> effectively bridged by the Active DDOS device on the right.

What is a DDOS device? Do you mean IDS/IPS?

> 
> The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they 
> provide a HSRP address that the inside network has a default pointing 
> towards.
> 
> The CPU on the active side (SW2) is pegged at 99% and it's all in host 
> learning. The log buffer reports:
> 
> Aug  5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: 
> (Suppressed 61591949 times)Packet received with my own MAC address 
> (X:X:X:X:X:X) as source on port Gix/y in vlan B
> 
> (Gix/y connects to the inside port on the DDOS appliance).
> 
> I believe this is because the switches MAC tables aren't VRF aware and 

MAC tables aren't VRF aware. They only need to be VLAN-aware.

Frankly I'm surprised this isn't working; if the SW2(L2) are really at 
layer2 with no SVI, and no L2 control protocols passing the DDoS device 
e.g. spanning tree, CDP, LLDP etc.

> the only way to solve the CPU problem is to use physically seperate 
> switches: i.e. replace the L2 portions in the diagram with separate L2 
> switches.

You could try changing the MAC address of the SVI e.g. to a locally 
assigned one:

int VlanX
   mac-address H.H.H

...I'm not familiar with the C4k platform, but it's common that devices 
have a finite number of MAC addresses they can use. Also when I tried it 
on our 6500s I had problems where it didn't pick up the MAC change on an 
existing SVI until reboot, but would on a newly-created SVI.


More information about the cisco-nsp mailing list