L2 Port Protection Options

EFP based layer 2 customer facing port:

interface GigabitEthernet0/1
 description Dedicated customer access port for a layer 2 service like VPWS or EVPN-PBB
 switchport trunk allowed vlan none
 switchport mode trunk
 load-interval 30
 storm-control broadcast level 1.00
 storm-control multicast level 5.00! Increase for a customer that uses multicast traffic
 storm-control action shutdown
 storm-control action trap
 no cdp enable
 no vtp
 no lldp transmit
 no lldp receive
 service instance 10 ethernet
  encapsulation dot1q 10
  rewrite ingress tag pop 1 symmetric
  l2protocol forward ! Remove if not tunneling layer 2 protocols, then the default is to drop them
  service-policy input PM-100Mbps
  service-policy output PM-100Mbps

L2 customer facing port protection templates:

Global Settings:
errdisable recovery cause all
errdisable recovery interval 30 ! 30 seconds could be too low, adjust as needed
errdisable detect cause all

interface GigabitEthernet0/1
description: Customer facing trunk
load-interval 30 switchport trunk allowed vlan 4001-4003 switchport mode trunk switchport nonegotiate ! Some old devices might still send DTP without this
no cdp enable
 no lldp receive
 no lldp transmit
no keepalive
small-frame violation-rate 10000
storm-control broadcast level 1.00 0.50
storm-control multicast level 1.00 0.50
storm-control unicast level 5.00
storm-control action shutdown
storm-control action trap

Interface Gi0/2
description: customer facing access port
load-interval 30
switchport mode access
switchport access vlan 20
switchport nonegotiate ! Some old devices might still send DTP without this switchport block multicast ! This is outbound of the port switchport block unicast ! This is outbound of the port switchport port-security violation shutdown vlan switchport port-security maximum 1 vlan logging event link-status logging event trunk-status  storm-control broadcast level 1.00 0.50
 storm-control multicast level 1.00 0.50
 storm-control unicast level 5.00
 storm-control action shutdown
 storm-control action trap no cdp enable
no lldp receive
no lldp transmit
no keepalive ip verify source vlan dhcp-snooping port-security ip dhcp snooping limit rate 1 ip dhcp snooping information option allow-untrusted
interface FastEthernet0/1 
 description Older style catalyst access port
 load-interval 30 
 speed 10 
 port security max-mac-count 10 
 port security aging time 5 
 port storm-control broadcast action shutdown 
 port storm-control broadcast threshold rising 100 falling 50 
 port storm-control multicast action shutdown 
 port storm-control multicast threshold rising 100 falling 50 
 port storm-control unicast action filter 
 port storm-control unicast threshold rising 3000 falling 1000 
 switchport access vlan 201
switchport nonegotiate ! Some old devices might still send DTP without this
no keepalive
no lldp transmit
no lldp receive
no cdp enable