[c-nsp] WS-C2950-EI as ISP access, best practices
Neal Rauhauser
neal.rauhauser at gmail.com
Wed Mar 16 14:13:51 EDT 2011
I've just inherited a plant with a few dozen WS-C2950-EI doing access
duty - an apartment complex. We've had just ridiculous stuff, like certain
models of customer NAT device that will helpfully reforward an unknown
unicast frame(!), and I've pretty well had my fill of Windows antics on this
thing.
Right now this is applied to all ports. Limit seems to be 132 entries
spread across all ports, so 5 entries x 24 ports is all we could do.
ip access-list extended nbtetc4
deny udp any any eq netbios-ns
deny udp any any eq 5355
deny udp any any eq 5353
deny udp any any eq 1900
permit ip any any
We're also dumping unknown multicast.
interface FastEthernet0/11
switchport block multicast
ip access-group nbtetc4 in
Doing this brought it down to a dull roar & customer calls stopped, but
I'd like to know if there is a tidy cookbook for what to do with these
machines in an access environment.
More information about the cisco-nsp
mailing list