On Fri, Mar 26, 2010 at 06:56:15PM -0400, Anton Kapela wrote:
In general, I avoid the potential for layer2 loops to any user-accesible layer2 ports in a manner that many edge network and broadband providers may find familiar -- vlan per user, tail, port, etc. -- aggregated in a hierarchical manner within the building, metro area, or city.
If you have 2 network jacks next to each other in a conference room, do they each get configured as a separate "user"? What happens if a user connects them together? What happens if a user plugs a desktop switch into one of them, then connects two ports on *that* switch together?
avoiding the preconditions necessary for loops/etc to pose a problem to the agg/border/etc of a network. Don't worry about users' being
Would this work in a collapsed L2/L3 core (no agg, no L3 at edge)?
After the access ports are setup and trunking per-port layer2 frames up to the l3 edge (could be 3550, 650x, mwr-1941, etc), we have pages of things like:
When doing 1:1 VLAN:Port mapping, can you do more than 4096 VLANs/ports? Or are you doing QinQ?
A few words on this config: in what you see above, a user simply cannot introduce enough traffic to the network (unicast) to matter (i.e. perhaps they create an unknown unicast dest flood..), and will be shut down if they spew enough bcast/mcast frames (thresholds set appropriate given your expected end-user profiles). Further, only the first 10 mac addresses can ride this bus (sorry, no LAN parties without prior approval), mitigating concerns for CAM or vlan table exhaustion. Lastly, no funky l3/4 acl's are required to prevent users handing out DHCP addresses, leaking RA's, or fronting ARP as your routers MAC address to their vlan-sharin' neighbors--simply because they don't get to send layer2 frames to anyone but the upstream routers control plane.
Cool, but I'm not sure this will work in my non-Cisco campus environment with 10,000 edge ports. Thanks.