[112305] in North American Network Operators' Group
RE: external L2 ethernet connections
daemon@ATHENA.MIT.EDU (Holmes,David A)
Mon Feb 23 12:47:24 2009
Date: Mon, 23 Feb 2009 09:47:28 -0800
In-reply-to: <499EC121.9090204@ttec.com>
From: "Holmes,David A" <dholmes@mwdh2o.com>
To: "Joe Maimon" <jmaimon@ttec.com>,
<nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
All of the protocols below should be turned off; my understanding is
that with dot1q trunking vlan1 cannot be removed from the trunk,
although Cisco's isl trunking allows the removal of all vlans. If Cisco
equipment is used, the "bpdu filter" command is useful as it instructs
the switch to neither send bpdus nor accept them. These are good
practices not just for connectivity to other AS's, but also in cases
where Ethernet switches comprise a geographically dispersed WAN
backbone. The key is to turn off all layer 2 state machines in the
connected Ethernet switches, enabling only layer 3 state machines.=20
We have found with some vendors' equipment that the layer 2/layer 3
state machines are not tightly integrated so, for instance, a cam
timeout in layer 2 will remove the underlying port/mac table entry for a
destination layer 3 network, resulting in unknown unicast flooding with
noticeable effects on user response time.
-----Original Message-----
From: Joe Maimon [mailto:jmaimon@ttec.com]=20
Sent: Friday, February 20, 2009 6:42 AM
To: nanog@nanog.org
Subject: external L2 ethernet connections
Does anyone have a best practice list of things to disable/filter/turn=20
off on ethernet ports l2 connected to other AS's
cdp
stp
switchport negotiate
vtp
if trunking, limit vlans, no vlan1
So on so forth.
Switches do so many darn things all by themselves, as any packet capture
shows.
Thanks,
Joe
