How to secure link between switches in Layer2
piotr.1234 at interia.pl
Sat Mar 25 13:21:44 UTC 2017
I mean loop, flood, high cpu because tcn/tca etc
IMHO sniffing is not a case in my scenario, i suppose but i'll remember this
W dniu 2017-03-25 o 13:21, Paul S. pisze:
> What exactly does "limited trust" mean?
> Are you worried they might sniff the data on the link, or?
> If so, macsec is really your only remedy.
> On 3/25/2017 07:00 PM, Pedro wrote:
>> Sometimes i have situation that i have to extend my layer2 (access,
>> trunk mode) network to third parties with limited trust. Sometimes
>> it's L2 MPLS links from isp (1x or 2x), sometimes it's just colocated
>> switch. Mostly there are Juniper Ex4200/4300 or and Cisco 3750. Below
>> i puts my config but maybe i miss something important ? Or i should
>> correct ?
>> Thanks for help
>> If two p2p links: aggregation with LACP
>> stp/rstp in portfast mode on access port
>> stp/rstp without portfast mode on trunk port
>> rstp root guard
>> on ports facing servers, in portfast mode, bpdu guard
>> spanning-tree root guard
>> max amount of mac addresses ie 100
>> per port per vlan max mac address
>> 802.1q with vlans, but not vlan 1
>> broadcast storm for bum packets: 10 pps
>> static ip - no dhcp servers/clients in vlans
>> cpu monitoring with notification in ie zabbix
>> cdp disable (if cisco)
>> dtp disable (if cisco)
>> eventually policer per port or per vlan.
>> thanks in advance,
More information about the NANOG