[c-nsp] Question - VLAN tagging Catalyst 6500 to Linux Host
sthaug at nethelp.no
sthaug at nethelp.no
Tue Apr 6 15:48:32 EDT 2010
> 'switchport nonegotiate' is more tricksie than that - it stops the ends of
> the link from negotiating whether they are trunk or access - ie it stops
> a host from asking an access port to become a trunk...or a trunk
> link from providing just an access layer. its a security mechanism
> and isnt to be confused with speed/duplex. best practice is to
> use it on edge ports to stop Mr Haxor from asking for a trunk link and
> all the VLANs that the switch knows
I would say that in service provider networks, best practice is to use
"switchport nonegotiate" on all links between Cisco switches - because
you *really* want this (trunk or access) to be hard coded.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list