[c-nsp] Spanning VRFs and seeing my own MAC address on a 4948
bill fumerola
billf at mu.org
Tue Aug 5 13:06:17 EDT 2008
On Tue, Aug 05, 2008 at 12:21:31PM +0100, Sam Stickland wrote:
> Phil Mayers wrote:
> >Sam Stickland wrote:
> >>SW1 SVI ---VLANA-- SW2 SVI
> >> | |
> >>DDOS Std DDOS Act
> >> | |
> >>SW1 (L2) --VLANB-- SW2 (L2)
> >> X |
> >> | |
> >>Inside ----VLANB--- Inside
> >>
> >>The Standby DDOS device does not pass traffic, but VLANs A and B are
> >>effectively bridged by the Active DDOS device on the right.
> >
> >What is a DDOS device? Do you mean IDS/IPS?
> Yup.
these are two devices, not one with two interfaces, right?
are they connected to each other in any way besides through the switch?
e.g. for state sharing or other such.
> >>The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they
> >>provide a HSRP address that the inside network has a default pointing
> >>towards.
> >>
> >>The CPU on the active side (SW2) is pegged at 99% and it's all in
> >>host learning. The log buffer reports:
> >>
> >>Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE:
> >>(Suppressed 61591949 times)Packet received with my own MAC address
> >>(X:X:X:X:X:X) as source on port Gix/y in vlan B
> >>
> >>(Gix/y connects to the inside port on the DDOS appliance).
>
> >Frankly I'm surprised this isn't working; if the SW2(L2) are really at
> >layer2 with no SVI, and no L2 control protocols passing the DDoS
> >device e.g. spanning tree, CDP, LLDP etc.
> The have no SVI, but spanning-tree instances are running for VLANs A and B.
> [...]
> Unfortunately the C4k platform doesn't support changing the BIA
> addresses, but given the nature of the error I don't think it would
> help. I think it's caused by the layer 2 portion of the switches seeing
> traffic sourced from it's own SVI on ones it's ports, which is confusing
> the host learning.
off-the-top-of-my-head:
- which spanning tree version are you running? does the IDS participate?
- redacted configs would be appropriate since the SVI configuration
is so specific and not just the usual vlanX,no-vrf.. you mix "they
have no SVI" and mentions of SVIs enough times that it's not clear
where they really are or aren't and who/what is pointing to them
- your diagram mixes L1,L2 and L3, it'd be nice to get a physical and logical
diagram (and/or a redacted config)
- fire up ye olde sniffer on the IDS box, it could very well be bridging
more (or less!) than you think
- speaking of bridging, is there a way to use .1q + routing w/ your IDS?
- look into Loop Guard on both SW1 and SW2. also, to a lesser extent
look into rootguard, bpduguard, and be sure spanning tree isn't
oscilating
- w/o the config, it's hard to say, but PVLANs may give you the seperation
of traffic between ports you desire
- VACLs on the IDS ports to permit the things you know about and log the
things you don't may be useful combined w/ sniffing
also, i've only used cat6.5k (hybrid & native) and not the 4948.. i dunno
the exact capabilities of some of the features i mentioned (PVLAN, VACL).
--
- bill fumerola / billf at FreeBSD.org
More information about the cisco-nsp
mailing list