[c-nsp] Broadcast storm control
Saku Ytti
saku+cisco-nsp at ytti.fi
Tue Nov 6 18:57:31 EST 2007
On (2007-11-06 15:53 -0500), Fred Reimer wrote:
> If we can get a bunch of people to log the same issue then
> there's a very slim chance to actually get this implemented in
> some far-future version of code...
Thanks Fred, I guess I'm not only one wanting this then (to me
this really seems like one of the basic L2 security features
you should have).
But, your suggestion sounds complex (I understood that you'd kinda
want port-security and some port-security domain amongst which
MACs could change without aging), some other vendors (Telco from BATM,
prolly many others) simply implement 'learn max of X macs from this
interface, filter or broadcast (configurable) exceeding'. Without any
extra 'security' functionality.
Now I have to decide, which is commercially best for me
a) better convergency for my customers
b) better security by not allowing my customers to turn
my switch into hub, but also I'd loose badly on convergency time.
I've opted a, since network does break down, and convergency
does happen, quite often too. Then again our customers
are always on their own VLANs, so I really couldn't care
less about MAC spoofing. On LANs I just use IPSG, DAI and
DHCP snooping and I'm qute happy with that.
Basically you have two threads
1) MAC stealing (I don't care, DAI, IPSG, DHCP snooping are better)
2) CAM exhaustion (I do care, customers can make my switch a hub!)
Solving 2) without also meddling with 1) is not possible :(
--
++ytti
More information about the cisco-nsp
mailing list