[c-nsp] wisdom of switchport block ...

[Lukas Tribus]

Hi,


> Hello,
>
> I am looking at tightening up my subscriber access network and, if
> I understand the documentation correctly, 'switchport block unicast'
> will prevent a cisco switch (3560g in this case) from flooding unicast
> frames out any port so configured, unless the destination mac address
> was learned from that port. Is there any reason on earth why I would NOT
> want to have this as a standard default option?


It will break connectivity in the direction network --> host when the host is
inactive for 5 minutes (or <mac address-table aging-time xy> when configured
other than default) and will only be restored when the host originates
traffic (not the other way around). This can be very dangerous depending on
your use-case.



> Arp would still work

ARP default timeout on Cisco gear is 4 hours, while the switch aging time
is 5 minutes. So in the worst case it would work the first five minutes and
then fail for the next 235 minutes.

Also keep in mind that ARP likes to use unicast request when the destination
mac is known and valid (when refreshing the arp table entry) and only falls
back to broadcast when the entry is purged from the table.



> would dhcp

If your lease time is below 5 minutes, sure.



> and pppoe...

PPP keepalives will keep the switch from purging the mac from the table, so
this may actually work.



> Is there any reason on earth why I would NOT want to have this as a
> standard default option?

Like mentioned above, this breaks connectivity if your host is idle. Since
you are talking about a subscriber access network, this may work if you use
PPPoE or IPoE/DHCP with short lease timers, but evaluate carefully.



Regards,

Lukas