[c-nsp] Alternatives for port-security in a L2 host redundancy environment

Andrew Miehs andrew at 2sheds.de
Fri Apr 29 07:32:32 EDT 2011


On Fri, Apr 29, 2011 at 12:02 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 04/28/2011 06:48 PM, Peter Rathlev wrote:
>
>  I'm not deeply familiar with audits like these, but if they're seriously
>> asking for port-security on infrastructure ports they have IMHO
>> misunderstood something. User facing ports: yes maybe. Infrastructure
>> ports: no.
>>
>
> Sadly, in my experience a complete lack of understanding on the auditors
> part does not necessarily reduce their power to compel you. You need really
> good, words-of-one-syllable explanations to convince them why you can't do
> something. And even that may not help :o(


You may be able to use something like this with maximum

 interface GigabitEthernet2/22
 description PortDesc
 switchport
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security maximum 8
 switchport port-security aging time 5
 switchport port-security aging type inactivity
 no cdp enable
 spanning-tree portfast edge
 spanning-tree bpduguard enable
!

Regards

Andrew


More information about the cisco-nsp mailing list