> If you make sure there's always just one active path from each broadcast
> domain and have your MAC filters, then you have nothing to worry about. 

this is not generally possible when the customer moans about wanting
provider edge resiliency, or wanting full visibility of all macs on each
side, with no restrictions; even if you have per-port mac counting, a
port flap followed by a customer-side l2 loop can still cause a lot of
damage: don't forget how long it takes between the time that a port
receives a mac address and the time that the port ACL is programmed in
hardware, by which time the entire FDB of your entire broadcast domain
could be polluted.  Not sure how long that operation takes on modern
boxes these days, but I've seen it take up to 250ms on some older kit.

There are just so many ways for this to fail, it's not funny.

cisco-nsp mailing list
archive at

Reply via email to