Hi,
We have a pair of 4948s and some DDOS devices configured in this
topology (this is an inheritated design btw!):
SW1 SVI ---VLANA-- SW2 SVI
| |
DDOS Std DDOS Act
| |
SW1 (L2) --VLANB-- SW2 (L2)
X |
| |
Inside ----VLANB--- Inside
The Standby DDOS device does not pass traffic, but VLANs A and B are
effectively bridged by the Active DDOS device on the right.
The SVIs on SW1 and SW2 are in a seperate "outside" VRF, and they
provide a HSRP address that the inside network has a default pointing
towards.
The CPU on the active side (SW2) is pegged at 99% and it's all in host
learning. The log buffer reports:
Aug 5 07:44:34.467 UTC: %C4K_L2MAN-5-ROUTERMACADDRESSRXASSOURCE:
(Suppressed 61591949 times)Packet received with my own MAC address
(X:X:X:X:X:X) as source on port Gix/y in vlan B
(Gix/y connects to the inside port on the DDOS appliance).
I believe this is because the switches MAC tables aren't VRF aware and
the only way to solve the CPU problem is to use physically seperate
switches: i.e. replace the L2 portions in the diagram with separate L2
switches.
Is my thinking correct? Is their another way?
Thanks,
Sam
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/