Auto MDI/MDI-X + conference rooms + bored == loop

Chuck Anderson cra at WPI.EDU
Fri Mar 26 23:48:32 UTC 2010


On Fri, Mar 26, 2010 at 06:56:15PM -0400, Anton Kapela wrote:
> In general, I avoid the potential for layer2 loops to any 
> user-accesible layer2 ports in a manner that many edge network and 
> broadband providers may find familiar -- vlan per user, tail, port, 
> etc. -- aggregated in a hierarchical manner within the building, 
> metro area, or city.

If you have 2 network jacks next to each other in a conference room, 
do they each get configured as a separate "user"?  What happens if a 
user connects them together?  What happens if a user plugs a desktop 
switch into one of them, then connects two ports on *that* switch 
together?

> avoiding the preconditions necessary for loops/etc to pose a problem 
> to the agg/border/etc of a network. Don't worry about users' being 

Would this work in a collapsed L2/L3 core (no agg, no L3 at edge)?

> After the access ports are setup and trunking per-port layer2 frames 
> up to the l3 edge (could be 3550, 650x, mwr-1941, etc), we have 
> pages of things like:

When doing 1:1 VLAN:Port mapping, can you do more than 4096 
VLANs/ports?  Or are you doing QinQ?

> A few words on this config: in what you see above, a user simply 
> cannot introduce enough traffic to the network (unicast) to matter 
> (i.e. perhaps they create an unknown unicast dest flood..), and will 
> be shut down if they spew enough bcast/mcast frames (thresholds set 
> appropriate given your expected end-user profiles). Further, only 
> the first 10 mac addresses can ride this bus (sorry, no LAN parties 
> without prior approval), mitigating concerns for CAM or vlan table 
> exhaustion. Lastly, no funky l3/4 acl's are required to prevent 
> users handing out DHCP addresses, leaking RA's, or fronting ARP as 
> your routers MAC address to their vlan-sharin' neighbors--simply 
> because they don't get to send layer2 frames to anyone but the 
> upstream routers control plane.

Cool, but I'm not sure this will work in my non-Cisco campus 
environment with 10,000 edge ports.

Thanks.




More information about the NANOG mailing list