[c-nsp] Broadcast storm control
Fred Reimer
freimer at ctiusa.com
Tue Nov 6 15:53:04 EST 2007
Let me rephrase that:
How do we go about filing a PER so that a switch will accept the
same static MAC address configured for port security on two
different interfaces. For instance, say you have a customer that
has a bunch of client routers plugged into a switch. You want to
limit the number of MAC addresses in case one of those clients
does something weird like bridging a bunch of traffic or being
compromised, etc. However, some clients have two routers and use
HSRP for redundancy. With port security configured it will flag
a violation if it sees a dynamic MAC on one port that it has
learned on another port. So the floating HSRP MAC will cause
problems until it times out of the port security database. I'd
like the option of configuring "duplicate" static MACs on
different ports so that we can still enable port security yet
allow for fast cut-over for known MAC addresses.
Or as an addition, a global option to turn off the hold-time on a
MAC switching between ports to the port-security aging time.
If an interface goes down and the MACs are immediately removed
from the database that would be a plus, but HSRP may be tracking
a WAN interface and you may desire a move of the HSRP MAC to the
backup router even if the primary router LAN interface does not
go down.
If we can get a bunch of people to log the same issue then
there's a very slim chance to actually get this implemented in
some far-future version of code...
Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Tuesday, November 06, 2007 12:37 PM
To: Sam Stickland
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Broadcast storm control
On (2007-11-06 17:14 +0000), Sam Stickland wrote:
> I'm sorry. I don't see how the configuration above would be
different from
> a configuration command that said "limit the number of MAC
addresses on
> this port to x". Can you explain?
Consider topology:
A --- Switch ---- B
In normal configuration MAC 'foo' can send even round-robin frame
from A and B. In port-security it can only switch between ports
every
aging time. So if A--Switch connection breaks down, you have to
wait
for aging time, before Switch---B connection can be used.
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071106/90915d3a/attachment-0001.bin
More information about the cisco-nsp
mailing list