[c-nsp] What is The Best Configuration per Interface (CatalystSwitch 3500)?
Adrian Pirciu
adrian.pirciu at rdsnet.ro
Tue Nov 2 02:01:23 EST 2004
On Saturday 30 October 2004 19:59, Ian Henderson wrote:
> On Sat, 30 Oct 2004, Michael Smith wrote:
> > 1) Why have an IP Access Group on a Switchport? Even though your
> > device may be routing, I'm fairly certain Layer 3 ACL's won't be
> > processed by a Layer 2 port.
>
> Yes they can be, depending on the model. Its a very cool thing - with
> no switch impact, we can block a few hundred megabits of small packet
> DoS on a 2950G, before it hits a 7200-G1 (which would usually melt).
>
> Kudos to the Web Central guys for pointing us to this. :) Who would
> have thought the $1500AUD~ 2950 would be so useful.
>
> > 2) On your Client interface turn off Portfast.
>
> BPDU guard and root guard should protect the switching network from
> rogue loops on the client facing ports. Shouldn't it...? BPDU guard
> will errdisable the port if it sees any BPDUs while root guard will
> disable the port if it sees a root bridge BPDU (kind of pointless
> with BPDU guard on aswell). What am I missing?
bpdufilter instead doesn't shutdown the port if it sees a bpdu, it just
ignores them.
spanning-tree bpdufilter enable
>
> Rgds,
>
>
> - I.
>
> --
> Ian Henderson CCNA, CCNP
> Senior Network Engineer, Chime Communications
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
------------------------------------------------------------------------
Adrian Pirciu
Network Engineer
More information about the cisco-nsp
mailing list