[c-nsp] Untagged native VLAN...

Peter Rathlev peter at rathlev.dk
Tue Nov 23 14:21:35 EST 2010


On Tue, 2010-11-23 at 18:48 +0000, Nick Hilliard wrote:
> On 23/11/2010 18:30, Peter Rathlev wrote:
> > Also include "spanning-tree bpduguard enable" wherever possible. STP
> > BPDUs have no place on access ports.
> 
> This should be accompanied by a generous helping of the "port security" 
> commands.  Otherwise you end up with a risk of l2 loops.

I'm not sure I follow. Any L2 loop beyond a port with BPDU Guard would
put the port in err-disable state, wouldn't it? I'm not advocating
"spanning-tree bpdufilter enable" on access ports; that only hides
problems.

The best thing would be if one could just limit the number of allowed
MAC addresses on a port, forcing the port err-disabled if the limit is
crossed. Whenever I look at port-security it seems to address a lot of
other "problems", and that tends to complicate implementation. :-|

-- 
Peter




More information about the cisco-nsp mailing list