01-27-2003 05:36 PM - edited 03-02-2019 04:34 AM
Last week I had a DOS attack (not Slammer) on the inside of the network. The MAC address of the source was the ISL trunking port default address listed above. I have multiple non-native VLANS on the 5500 (four). These VLANs have servers connected to them. I have a few other switches, 2900s that connect to the 5500 on native VLAN 1. We first suspected that a user on one the 2900s was the culprit, and got all the them to close all applications, stay on network, and i was going to disable the ports they come in on, one at a time. The DOS attack stopped before they were all out. QUESTION - do all the devices on the VLANs on the 5500 (not vlan 1) use the ISL trunking port, or only the devices that "connect" with VLAN 1. At this point I still don't know the source of the DOS attack .
01-28-2003 04:09 AM
The ISL trunk "extends" a vlan beyond a local switch. Traffic for a vlan is forwarded through the ISL trunk to all other switches with ports in that vlan.
The source adress that you specified is a multicast adress and the vendor-code is Cisco. I would say that this is probably not the source of the DOS attack.
01-28-2003 01:08 PM
I was told by Cisco TAC that this address is the default Cisco address for the ISL trunking port. So, if that is correct, the question is: Is the ISL trunking port on the 5500 used by the different Vlans on this switch, or only on Different Vlans on another switch?
01-28-2003 02:00 PM
01-00-0c-cc-cc-cc-cd is cisco shared spanning tree (SSTP) MAC
This is for other VLANs other then VLAN 1. Cisco uses different spanning tree groups for each VLAN on the switch and over a trunk link the other VLANs will use this MAC.
There could have been a spanning tree reconvergence occuring at the time when you saw these messages.
Erick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide