I mean loop, flood, high cpu because tcn/tca etc IMHO sniffing is not a case in my scenario, i suppose but i'll remember this W dniu 2017-03-25 o 13:21, Paul S. pisze:
What exactly does "limited trust" mean?
Are you worried they might sniff the data on the link, or?
If so, macsec is really your only remedy.
On 3/25/2017 07:00 PM, Pedro wrote:
Hello,
Sometimes i have situation that i have to extend my layer2 (access, trunk mode) network to third parties with limited trust. Sometimes it's L2 MPLS links from isp (1x or 2x), sometimes it's just colocated switch. Mostly there are Juniper Ex4200/4300 or and Cisco 3750. Below i puts my config but maybe i miss something important ? Or i should correct ?
Thanks for help
1. If two p2p links: aggregation with LACP
2. stp/rstp in portfast mode on access port stp/rstp without portfast mode on trunk port rstp root guard
3. on ports facing servers, in portfast mode, bpdu guard spanning-tree root guard
4. max amount of mac addresses ie 100 per port per vlan max mac address
5. 802.1q with vlans, but not vlan 1
6. broadcast storm for bum packets: 10 pps
7. static ip - no dhcp servers/clients in vlans
8. cpu monitoring with notification in ie zabbix
9. cdp disable (if cisco) dtp disable (if cisco)
10. eventually policer per port or per vlan.
thanks in advance, Pedro