VLAN Trunking Port on a 5500 - CAM Address 0100c0cccccc - DOS attack

colleen-smith · ‎01-27-2003

Last week I had a DOS attack (not Slammer) on the inside of the network. The MAC address of the source was the ISL trunking port default address listed above. I have multiple non-native VLANS on the 5500 (four). These VLANs have servers connected to them. I have a few other switches, 2900s that connect to the 5500 on native VLAN 1. We first suspected that a user on one the 2900s was the culprit, and got all the them to close all applications, stay on network, and i was going to disable the ports they come in on, one at a time. The DOS attack stopped before they were all out. QUESTION - do all the devices on the VLANs on the 5500 (not vlan 1) use the ISL trunking port, or only the devices that "connect" with VLAN 1. At this point I still don't know the source of the DOS attack .

lgijssel · ‎01-28-2003

The ISL trunk "extends" a vlan beyond a local switch. Traffic for a vlan is forwarded through the ISL trunk to all other switches with ports in that vlan.

The source adress that you specified is a multicast adress and the vendor-code is Cisco. I would say that this is probably not the source of the DOS attack.

colleen-smith · ‎01-28-2003

I was told by Cisco TAC that this address is the default Cisco address for the ISL trunking port. So, if that is correct, the question is: Is the ISL trunking port on the 5500 used by the different Vlans on this switch, or only on Different Vlans on another switch?

Erick Bergquist · ‎01-28-2003

01-00-0c-cc-cc-cc-cd is cisco shared spanning tree (SSTP) MAC

This is for other VLANs other then VLAN 1. Cisco uses different spanning tree groups for each VLAN on the switch and over a trunk link the other VLANs will use this MAC.

There could have been a spanning tree reconvergence occuring at the time when you saw these messages.

Erick