[c-nsp] EoMPLS or VPLS loop prevention/storm control

schilling schilling2006 at gmail.com
Thu Feb 10 11:37:07 EST 2011 

Thanks all for the insights and recommendations. I really appreciate it.

Schilling

On Wed, Feb 9, 2011 at 3:26 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 09/02/2011 19:10, schilling wrote:
>>
>> I am familiar with these features. I talked with Cisco TAC several
>> times, they are not recommending the storm control since it can not
>> differentiate control data from user data, this might cause
>> instability of layer 2 network.
>
> This is true on core ports, which is one of the reasons why it's important
> to constrain the size of your layer2 domains.  However, storm control is
> critical on access ports.
>
>> port-security to only allow specific
>> mac address might be helpful, but will not be useful for a hub.
>
> Hub?  Urgh, you need to remove this dangerous item from your network,
> pronto! :-)
>
>> So there is no good way to prevent rogue hub/switch from messing with
>> our network?
>
> No.  Hubs are trouble, and unless you control the rogue switch, and the
> switch has decent quality port security features, then that will also cause
> trouble.
>
>> So the best we can do is to reduce the fault domain, if something
>> messed up, just let it mess up a small area of network?
>
> You need to reduce your fault domain as part of a controlled redesign of
> your network, which will involve partitioning of the network into much
> smaller areas, installation of equipment which has the features and
> functionality that you need, removal of older equipment which is actively
> causing trouble, creation of access policies and templates for access and
> core ports, examination of dot1x (this is a contentious point), right down
> to creation of policies for dealing with people who feel that this
> restructuring is going to impinge on their carefree lifestyles.
>
> Also, don't use VTP unless you like living dangerously.
>
> Hyping your network with an MPLS core and using EoMPLS / AToM will give you
> lots of string to hang yourself with.  There are plenty of legitimate design
> reasons to use MPLS as a transport for your L2 core, but dealing with edge
> stability problems is not one of them.
>
> Nick
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list