[c-nsp] Spanning VRFs and seeing my own MAC address on a 4948
Lincoln Dale
ltd at cisco.com
Tue Aug 5 21:58:22 EDT 2008
Sam Stickland wrote:
>
>>> believe this is because the switches MAC tables aren't VRF aware
>>> and the only way to solve the CPU problem is to use physically
>>> seperate switches: i.e. replace the L2 portions in the diagram with
>>> separate L2 switches.
>>>
>>> Is my thinking correct? Is their another way?
>> logically speaking, VRFs are for L3 what VLANs are for L2.
>>
>> i don't think "replacing with seperate L2 switches" will fix it, i
>> think you've got a L2 loop that needs fixing.
> Really? Where?
i'd say its something evil that the DDoS devices are doing. what its
doing is up for debate, but clearly that SW2 is indicating its receiving
BACK packets its sending from the log message, clearly its working
overtime on the MAC learning too given its at 99% CPU in that process
moving mac addresses between ports . . .
> Drawing out the diagram above as the spanning-tree topology stabilises
> it's:
> [..]
> Far from ideal, I know, but I'm not sure there's a L2 loop here.
my guess is the DDos boxes are eating/modifying BPDUs to allow STP to
establish in the first place.
purely a guess mind you, as i say, just going on the evidence of what
the cisco switch is reporting & having done lots of 'testing' of these
kinds of scenarios on other cisco boxes...
cbeers,
lincoln.
More information about the cisco-nsp
mailing list