[c-nsp] EoMPLS or VPLS loop prevention/storm control
schilling
schilling2006 at gmail.com
Wed Feb 9 14:10:33 EST 2011
Thanks all for the info.
I am familiar with these features. I talked with Cisco TAC several
times, they are not recommending the storm control since it can not
differentiate control data from user data, this might cause
instability of layer 2 network. port-security to only allow specific
mac address might be helpful, but will not be useful for a hub.
So there is no good way to prevent rogue hub/switch from messing with
our network?
So the best we can do is to reduce the fault domain, if something
messed up, just let it mess up a small area of network?
Schilling
On Wed, Feb 9, 2011 at 1:45 PM, Arie Vayner (avayner) <avayner at cisco.com> wrote:
> Schilling,
>
> You should be most likely looking at reducing these wide L2 domains, but
> regardless of the L2 domain size, you should still deploy access layer
> countermeasures to avoid loop creation and the effects of a potential
> loop.
>
> VPLS or any other transport would not help you if some user loops the
> cable back, or connects a rouge hub/switch. VPLS just makes sure there
> are no loops in the VPLS core - you can still get loops through the
> other layers.
>
> I would suggest reading these documents (I am including the docs for
> 3750, but it is quite generally supported across the switching
> portfolio):
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swstpopt.html
> (Features to look at include: BPDU Guard, Root Guard, Loop Guard)
>
> Also:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1063295
> (Features to look at include: Storm Control, Port Security (to limit
> number of MACs per port))
>
> Not directly related to loop prevention, but a good practice on campus
> access layer:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swdhcp82.html
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swdynarp.html
>
> For even more advanced protection:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/sw8021x.html
>
> Arie
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of schilling
> Sent: Wednesday, February 09, 2011 17:12
> To: cisco-nsp
> Subject: [c-nsp] EoMPLS or VPLS loop prevention/storm control
>
> Hi All,
>
> We right now have several bridged campus wide VLAN. It happens several
> times a year where a loop in one of the VLAN will cause our backbone
> to be unavailable. Now we are thinking to better architect the design.
> If we migrate to some platform like ASR9K and use EoMPLS or VPLS, what
> will happen if we have a loop in one of the VLAN? The simple loop is
> to have a dump switch, connected two ports of it together.
>
> Thanks,
>
> Schilling
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list