[c-nsp] EoMPLS or VPLS loop prevention/storm control
Arie Vayner (avayner)
avayner at cisco.com
Wed Feb 9 14:35:42 EST 2011
Well, take a better look at BPDU guard for access ports.
Also storm control on desktop PC access ports would not affect any protocols...
Each feature should be used in the correct context...
Arie
--------------------------
Sent using BlackBerry
----- Original Message -----
From: schilling [mailto:schilling2006 at gmail.com]
Sent: Wednesday, February 09, 2011 08:10 PM
To: Arie Vayner (avayner)
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] EoMPLS or VPLS loop prevention/storm control
Thanks all for the info.
I am familiar with these features. I talked with Cisco TAC several
times, they are not recommending the storm control since it can not
differentiate control data from user data, this might cause
instability of layer 2 network. port-security to only allow specific
mac address might be helpful, but will not be useful for a hub.
So there is no good way to prevent rogue hub/switch from messing with
our network?
So the best we can do is to reduce the fault domain, if something
messed up, just let it mess up a small area of network?
Schilling
On Wed, Feb 9, 2011 at 1:45 PM, Arie Vayner (avayner) <avayner at cisco.com> wrote:
> Schilling,
>
> You should be most likely looking at reducing these wide L2 domains, but
> regardless of the L2 domain size, you should still deploy access layer
> countermeasures to avoid loop creation and the effects of a potential
> loop.
>
> VPLS or any other transport would not help you if some user loops the
> cable back, or connects a rouge hub/switch. VPLS just makes sure there
> are no loops in the VPLS core - you can still get loops through the
> other layers.
>
> I would suggest reading these documents (I am including the docs for
> 3750, but it is quite generally supported across the switching
> portfolio):
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swstpopt.html
> (Features to look at include: BPDU Guard, Root Guard, Loop Guard)
>
> Also:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1063295
> (Features to look at include: Storm Control, Port Security (to limit
> number of MACs per port))
>
> Not directly related to loop prevention, but a good practice on campus
> access layer:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swdhcp82.html
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/swdynarp.html
>
> For even more advanced protection:
> http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e
> /software/release/12.2_55_se/configuration/guide/sw8021x.html
>
> Arie
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of schilling
> Sent: Wednesday, February 09, 2011 17:12
> To: cisco-nsp
> Subject: [c-nsp] EoMPLS or VPLS loop prevention/storm control
>
> Hi All,
>
> We right now have several bridged campus wide VLAN. It happens several
> times a year where a loop in one of the VLAN will cause our backbone
> to be unavailable. Now we are thinking to better architect the design.
> If we migrate to some platform like ASR9K and use EoMPLS or VPLS, what
> will happen if we have a loop in one of the VLAN? The simple loop is
> to have a dump switch, connected two ports of it together.
>
> Thanks,
>
> Schilling
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list