Hi,
> Hello, > > I am looking at tightening up my subscriber access network and, if > I understand the documentation correctly, 'switchport block unicast' > will prevent a cisco switch (3560g in this case) from flooding unicast > frames out any port so configured, unless the destination mac address > was learned from that port. Is there any reason on earth why I would NOT > want to have this as a standard default option? It will break connectivity in the direction network --> host when the host is inactive for 5 minutes (or <mac address-table aging-time xy> when configured other than default) and will only be restored when the host originates traffic (not the other way around). This can be very dangerous depending on your use-case. > Arp would still work ARP default timeout on Cisco gear is 4 hours, while the switch aging time is 5 minutes. So in the worst case it would work the first five minutes and then fail for the next 235 minutes. Also keep in mind that ARP likes to use unicast request when the destination mac is known and valid (when refreshing the arp table entry) and only falls back to broadcast when the entry is purged from the table. > would dhcp If your lease time is below 5 minutes, sure. > and pppoe... PPP keepalives will keep the switch from purging the mac from the table, so this may actually work. > Is there any reason on earth why I would NOT want to have this as a > standard default option? Like mentioned above, this breaks connectivity if your host is idle. Since you are talking about a subscriber access network, this may work if you use PPPoE or IPoE/DHCP with short lease timers, but evaluate carefully. Regards, Lukas _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/