[c-nsp] Migration to Rapid-PVST
Per Carlson
lists at ip4all.net
Mon May 15 03:32:46 EDT 2006
On Sat, May 13, 2006 at 02:09:38PM +0100, Rolf Mendelsohn wrote:
> Make sure you try and block all weird stuf at customer ports - e.g.
>
> switchport mode access
> no cdp enable
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard none
> end
Just remember one thing, a service provider should protect it's
own network from customer induced traffic as much as possible.
bpdufilter is one such a mechanism, but the BPDU's recived from
the customer are never the less punted to the CPU. A misbeaving
customer can thus do a (though unintentional) DoS against the
switch. All ingress filtering should be done using hardware
mechanisms. In this case, that spells MAC-address filters. To
block the different Control Protocols (CDP, STP etc.) the
following MAC-addresses have to be filtered:
CDP, DTP, PagP, UDLD and VTP: 0100.0ccc.cccc
PVST+: 0100.0ccc.cccd
MIST, MSTP, RSTP, STP: 0180.c200.0000
A full blown MAC-ACL would look something like this:
mac access-list extended BLOCK_CUSTOMER_CP
deny any host 0100.0ccc.cccc
deny any host 0100.0ccc.cccd
deny any host 0180.c200.0000
permit any any
interface fa0/1
mac access-group BLOCK_CUSTOMER_CP in
--
Per Carlson, Sr. Network Developer
More information about the cisco-nsp
mailing list