[c-nsp] Broadcast storm control
Saku Ytti
saku+cisco-nsp at ytti.fi
Mon Nov 5 21:06:57 EST 2007
On (2007-11-05 18:08 -0600), Michael Malitsky wrote:
> Last week one of my customers DoS'd me - they managed to create a wire
> loop between their switches, with no STP. The resulting broadcast storm
> killed the CPU on my access router (their default gateway). Does anyone
> have any pointers or best practices on how I can protect the router
> without having access to the switches beyond it?
I run broadcast stormcontrol, porfast (Edge port) and bpdguard
automatically on in all edge ports. But I do not run bpdufilter,
this way accidentally created loops should be visible by receiving
our own BPDU back and port going to errdisable because of that, and
all other cases, we'll have to hope that stormcontrol catches it.
In my opinion cisco is lacking some elementary L2 security features,
like not being able to limit MAC addresses per port, without also
having port-security on and also ability to limit unknown unicast per port.
--
++ytti
More information about the cisco-nsp
mailing list