Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DOS attack

colleen-smith
Level 1
Level 1

‎01-27-2003 05:36 PM - edited ‎03-02-2019 04:34 AM

Last week I had a DOS attack (not Slammer) on the inside of the network. The MAC address of the source was the ISL trunking port default address listed above. I have multiple non-native VLANS on the 5500 (four). These VLANs have servers connected to them. I have a few other switches, 2900s that connect to the 5500 on native VLAN 1. We first suspected that a user on one the 2900s was the culprit, and got all the them to close all applications, stay on network, and i was going to disable the ports they come in on, one at a time. The DOS attack stopped before they were all out. QUESTION - do all the devices on the VLANs on the 5500 (not vlan 1) use the ISL trunking port, or only the devices that "connect" with VLAN 1. At this point I still don't know the source of the DOS attack .

Labels:
0 Helpful
3 Replies 3

lgijssel
Level 9
Level 9

‎01-28-2003 04:09 AM

The ISL trunk "extends" a vlan beyond a local switch. Traffic for a vlan is forwarded through the ISL trunk to all other switches with ports in that vlan.

The source adress that you specified is a multicast adress and the vendor-code is Cisco. I would say that this is probably not the source of the DOS attack.

0 Helpful

colleen-smith
Level 1
Level 1
In response to lgijssel

‎01-28-2003 01:08 PM

I was told by Cisco TAC that this address is the default Cisco address for the ISL trunking port. So, if that is correct, the question is: Is the ISL trunking port on the 5500 used by the different Vlans on this switch, or only on Different Vlans on another switch?

0 Helpful

Erick Bergquist
Level 6
Level 6
In response to colleen-smith

‎01-28-2003 02:00 PM

01-00-0c-cc-cc-cc-cd is cisco shared spanning tree (SSTP) MAC

This is for other VLANs other then VLAN 1. Cisco uses different spanning tree groups for each VLAN on the switch and over a trunk link the other VLANs will use this MAC.

There could have been a spanning tree reconvergence occuring at the time when you saw these messages.

Erick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents