Re: How to secure link between switches in Layer2

[Pedro <piotr.1234 () interia pl>]

I mean loop, flood, high cpu because tcn/tca etc
IMHO sniffing is not a case in my scenario, i suppose but i'll remember this

W dniu 2017-03-25 o 13:21, Paul S. pisze:
> What exactly does "limited trust" mean?
>
> Are you worried they might sniff the data on the link, or?
>
> If so, macsec is really your only remedy.
>
> On 3/25/2017 07:00 PM, Pedro wrote:
> > Hello,
> >
> > Sometimes i have situation that i have to extend my layer2 (access,
> > trunk mode) network to third parties with limited trust. Sometimes
> > it's L2 MPLS links from isp (1x or 2x), sometimes it's just colocated
> > switch. Mostly there are Juniper Ex4200/4300 or and Cisco 3750.  Below
> > i puts my config but maybe i miss something important ? Or i should
> > correct ?
> >
> > Thanks for help
> >
> >
> > 1.
> > If two p2p links: aggregation with LACP
> >
> > 2.
> > stp/rstp in portfast mode on access port
> > stp/rstp without portfast mode on trunk port
> > rstp root guard
> >
> > 3.
> > on ports facing servers, in portfast mode, bpdu guard
> > spanning-tree root guard
> >
> > 4.
> > max amount of mac addresses ie 100
> > per port per vlan max mac address
> >
> > 5.
> > 802.1q with vlans, but not vlan 1
> >
> > 6.
> > broadcast storm for bum packets: 10 pps
> >
> >
> > 7.
> > static ip - no dhcp servers/clients in vlans
> >
> > 8.
> > cpu monitoring with notification in ie zabbix
> >
> > 9.
> > cdp disable (if cisco)
> > dtp disable (if cisco)
> >
> > 10.
> > eventually policer per port or per vlan.
> >
> >
> >
> > thanks in advance,
> > Pedro