[c-nsp] Spanning VRFs and seeing my own MAC address on a 4948

bill fumerola billf at mu.org
Tue Aug 5 13:06:17 EDT 2008 

On Tue, Aug 05, 2008 at 12:21:31PM +0100, Sam Stickland wrote:
> Phil Mayers wrote:
> >Sam Stickland wrote:
> >>SW1 SVI ---VLANA-- SW2 SVI
> >> |                  |
> >>DDOS Std          DDOS Act
> >> |                  |
> >>SW1 (L2) --VLANB-- SW2 (L2)
> >> X                  |
> >> |                  |
> >>Inside ----VLANB--- Inside
> >>
> >>The Standby DDOS device does not pass traffic, but VLANs A and B are 
> >>effectively bridged by the Active DDOS device on the right.
> >
> >What is a DDOS device? Do you mean IDS/IPS?
> Yup.

these are two devices, not one with two interfaces, right?

are they connected to each other in any way besides through the switch?
e.g. for state sharing or other such.

> >>The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they 
> >>provide a HSRP address that the inside network has a default pointing 
> >>towards.
> >>
> >>The CPU on the active side (SW2) is pegged at 99% and it's all in 
> >>host learning. The log buffer reports:
> >>
> >>Aug  5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE: 
> >>(Suppressed 61591949 times)Packet received with my own MAC address 
> >>(X:X:X:X:X:X) as source on port Gix/y in vlan B
> >>
> >>(Gix/y connects to the inside port on the DDOS appliance).
>
> >Frankly I'm surprised this isn't working; if the SW2(L2) are really at 
> >layer2 with no SVI, and no L2 control protocols passing the DDoS 
> >device e.g. spanning tree, CDP, LLDP etc.
> The have no SVI, but spanning-tree instances are running for VLANs A and B.
> [...]
> Unfortunately the C4k platform doesn't support changing the BIA 
> addresses, but given the nature of the error I don't think it would 
> help. I think it's caused by the layer 2 portion of the switches seeing 
> traffic sourced from it's own SVI on ones it's ports, which is confusing 
> the host learning.

off-the-top-of-my-head:
- which spanning tree version are you running? does the IDS participate?
- redacted configs would be appropriate since the SVI configuration
  is so specific and not just the usual vlanX,no-vrf.. you mix "they
  have no SVI" and mentions of SVIs enough times that it's not clear
  where they really are or aren't and who/what is pointing to them
- your diagram mixes L1,L2 and L3, it'd be nice to get a physical and logical
  diagram (and/or a redacted config)
- fire up ye olde sniffer on the IDS box, it could very well be bridging
  more (or less!) than you think
- speaking of bridging, is there a way to use .1q + routing w/ your IDS?
- look into Loop Guard on both SW1 and SW2. also, to a lesser extent
  look into rootguard, bpduguard, and be sure spanning tree isn't
  oscilating
- w/o the config, it's hard to say, but PVLANs may give you the seperation
  of traffic between ports you desire
- VACLs on the IDS ports to permit the things you know about and log the
  things you don't may be useful combined w/ sniffing

also, i've only used cat6.5k (hybrid & native) and not the 4948.. i dunno
the exact capabilities of some of the features i mentioned (PVLAN, VACL).


-- 
- bill fumerola / billf at FreeBSD.org

More information about the cisco-nsp mailing list