[c-nsp] Catalyst switches and %C4K_EBM-4-HOSTFLAPPING

[Henry-Nicolas Tourneur]

Hi Peter, thanks for your answers :)

The topology looks like this:

[CUSTOMER DEVICE] ---> [RADIO CPE] ---> [RADIO BASE STATION PmP]
                                           ||
							 ||
							Ethernet Trunk
							 ||
							 ||
     [Cisco Router]----Ethernet trunk---[Catalyst switch]

We provide IP services to the customer, it's done as you see in the above diagram.
If the customer device starts announcing the same MAC Address than the Cisco router, it'll make the Catalyst switch flap inside that VLAN (which indeed creates very high CPU usage, 99%).

So, isn't there anything we can do to prevent this? 
Any switchport security to disable all the traffic of a VLAN when it flaps too much?

Thanks for your help.

-----Original Message-----
From: Peter Rathlev [mailto:peter at rathlev.dk] 
Sent: jeudi 13 octobre 2011 22:59
To: Henry-Nicolas Tourneur
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Catalyst switches and %C4K_EBM-4-HOSTFLAPPING

On Thu, 2011-10-13 at 16:44 +0200, Henry-Nicolas Tourneur wrote:
> 1. How will the Catalyst react if a MAC Adr flaps within only one
> VLAN? Will the same MAC Adr be impacted inside other VLAN? 

The Catalyst switches use per-VLAN tables, so flapping in one table will
not directly affect other tables. You might have secondary effects from
the switch being busy updating the FDB. And the flapping might be a
symptom of a distant loop, which in turn might give you seperate
problems.

> 2. How can we protect against this? Is it possible to disable
> temporary only a VLAN and not a port (some ports being trunks...)?

If you're seeing the effects of a loop inside the customer network
reflecting frames back to you that it shouldn't, then there isn't much
to do AFAIK. It's one of the reasons interfacing at L2 with an untrusted
customer is a problem.

If you explain the topology and what you need to deliver there might be
someone who can propose a solution without these inherent problems.

-- 
Peter