Date created: Sunday, January 20, 2013 4:32:00 PM. Last modified: Wednesday, May 10, 2017 5:41:00 PM
L2 Port Protection Options
EFP based layer 2 customer facing port:
interface GigabitEthernet0/1 description Dedicated customer access port for a layer 2 service like VPWS or EVPN-PBB switchport trunk allowed vlan none switchport mode trunk load-interval 30 storm-control broadcast level 1.00 storm-control multicast level 5.00! Increase for a customer that uses multicast traffic storm-control action shutdown storm-control action trap no cdp enable no vtp no lldp transmit no lldp receive service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric l2protocol forward ! Remove if not tunneling layer 2 protocols, then the default is to drop them service-policy input PM-100Mbps service-policy output PM-100Mbps
L2 customer facing port protection templates:
Global Settings:
errdisable recovery cause all
errdisable recovery interval 30 ! 30 seconds could be too low, adjust as needed
errdisable detect cause all
interface GigabitEthernet0/1
description: Customer facing trunk
load-interval 30 switchport trunk allowed vlan 4001-4003 switchport mode trunk switchport nonegotiate ! Some old devices might still send DTP without this
no cdp enable
no lldp receive
no lldp transmit
no keepalive
small-frame violation-rate 10000
storm-control broadcast level 1.00 0.50
storm-control multicast level 1.00 0.50
storm-control unicast level 5.00
storm-control action shutdown
storm-control action trap
Interface Gi0/2
description: customer facing access port
load-interval 30
switchport mode access
switchport access vlan 20
switchport nonegotiate ! Some old devices might still send DTP without this switchport block multicast ! This is outbound of the port switchport block unicast ! This is outbound of the port switchport port-security violation shutdown vlan switchport port-security maximum 1 vlan logging event link-status logging event trunk-status storm-control broadcast level 1.00 0.50
storm-control multicast level 1.00 0.50
storm-control unicast level 5.00
storm-control action shutdown
storm-control action trap no cdp enable
no lldp receive
no lldp transmit
no keepalive ip verify source vlan dhcp-snooping port-security ip dhcp snooping limit rate 1 ip dhcp snooping information option allow-untrusted
interface FastEthernet0/1 description Older style catalyst access port load-interval 30 speed 10 port security max-mac-count 10 port security aging time 5 port storm-control broadcast action shutdown port storm-control broadcast threshold rising 100 falling 50 port storm-control multicast action shutdown port storm-control multicast threshold rising 100 falling 50 port storm-control unicast action filter port storm-control unicast threshold rising 3000 falling 1000 switchport access vlan 201
switchport nonegotiate ! Some old devices might still send DTP without this
no keepalive
no lldp transmit
no lldp receive
no cdp enable
Previous page: L2 Bridging (IRB)
Next page: LACP Max-Links Instead of STP