On 09/02/2011 19:10, schilling wrote:
I am familiar with these features. I talked with Cisco TAC several
times, they are not recommending the storm control since it can not
differentiate control data from user data, this might cause
instability of layer 2 network.
This is true on core ports, which is one of the reasons why it's
important to constrain the size of your layer2 domains. However, storm
control is critical on access ports.
port-security to only allow specific
mac address might be helpful, but will not be useful for a hub.
Hub? Urgh, you need to remove this dangerous item from your network,
pronto! :-)
So there is no good way to prevent rogue hub/switch from messing with
our network?
No. Hubs are trouble, and unless you control the rogue switch, and the
switch has decent quality port security features, then that will also
cause trouble.
So the best we can do is to reduce the fault domain, if something
messed up, just let it mess up a small area of network?
You need to reduce your fault domain as part of a controlled redesign of
your network, which will involve partitioning of the network into much
smaller areas, installation of equipment which has the features and
functionality that you need, removal of older equipment which is
actively causing trouble, creation of access policies and templates for
access and core ports, examination of dot1x (this is a contentious
point), right down to creation of policies for dealing with people who
feel that this restructuring is going to impinge on their carefree
lifestyles.
Also, don't use VTP unless you like living dangerously.
Hyping your network with an MPLS core and using EoMPLS / AToM will give
you lots of string to hang yourself with. There are plenty of
legitimate design reasons to use MPLS as a transport for your L2 core,
but dealing with edge stability problems is not one of them.
Nick
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
