[c-nsp] What is The Best Configuration per
Interface (CatalystSwitch 3500)?
Ian Henderson
ianh at chime.net.au
Sat Oct 30 12:59:19 EDT 2004
On Sat, 30 Oct 2004, Michael Smith wrote:
> 1) Why have an IP Access Group on a Switchport? Even though your device
> may be routing, I'm fairly certain Layer 3 ACL's won't be processed by a
> Layer 2 port.
Yes they can be, depending on the model. Its a very cool thing - with no
switch impact, we can block a few hundred megabits of small packet DoS on
a 2950G, before it hits a 7200-G1 (which would usually melt).
Kudos to the Web Central guys for pointing us to this. :) Who would have
thought the $1500AUD~ 2950 would be so useful.
> 2) On your Client interface turn off Portfast.
BPDU guard and root guard should protect the switching network from rogue
loops on the client facing ports. Shouldn't it...? BPDU guard will
errdisable the port if it sees any BPDUs while root guard will disable the
port if it sees a root bridge BPDU (kind of pointless with BPDU guard on
aswell). What am I missing?
Rgds,
- I.
--
Ian Henderson CCNA, CCNP
Senior Network Engineer, Chime Communications
More information about the cisco-nsp
mailing list