Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DOS attack

Last week I had a DOS attack (not Slammer) on the inside of the network. The MAC address of the source was the ISL trunking port default address listed above. I have multiple non-native VLANS on the 5500 (four). These VLANs have servers connected to them. I have a few other switches, 2900s that connect to the 5500 on native VLAN 1. We first suspected that a user on one the 2900s was the culprit, and got all the them to close all applications, stay on network, and i was going to disable the ports they come in on, one at a time. The DOS attack stopped before they were all out. QUESTION - do all the devices on the VLANs on the 5500 (not vlan 1) use the ISL trunking port, or only the devices that "connect" with VLAN 1. At this point I still don't know the source of the DOS attack .

3 REPLIES

Re: VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DO

The ISL trunk "extends" a vlan beyond a local switch. Traffic for a vlan is forwarded through the ISL trunk to all other switches with ports in that vlan.

The source adress that you specified is a multicast adress and the vendor-code is Cisco. I would say that this is probably not the source of the DOS attack.

New Member

Re: VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DO

I was told by Cisco TAC that this address is the default Cisco address for the ISL trunking port. So, if that is correct, the question is: Is the ISL trunking port on the 5500 used by the different Vlans on this switch, or only on Different Vlans on another switch?

Re: VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DO

01-00-0c-cc-cc-cc-cd is cisco shared spanning tree (SSTP) MAC

This is for other VLANs other then VLAN 1. Cisco uses different spanning tree groups for each VLAN on the switch and over a trunk link the other VLANs will use this MAC.

There could have been a spanning tree reconvergence occuring at the time when you saw these messages.

Erick

178
Views
0
Helpful
3
Replies