In a multi-tenant environment what should be done to make your switchports silent on Cisco and Juniper switches?

Question

For example preventing it from sending arp, stp, etc and to reveal as little as possible about the rest of the network.

Example use case would be connecting to a peering exchange.

score 16 · Accepted Answer · answered May 10 '13 at 00:39

You can check the Amsterdam Internet Exchange's Config Guide for hints on how to silence switches from a variety of vendors.

In my experience there are vendors whose software is so bad that their equipment is never silent, for example they ARP out every interface when they boot, or send out some upon a link up event on a port. Juniper, Cisco, Brocade can be muffled with varying degrees of persuasion, Extreme loops everything during EAPS transitions.

Some things to disable/consider:

Discovery protocols (LLDP, CDP, FDP, 'dynamic-vlan-discovery')
VTP, DTP
STP (disable for the VLAN a port is in)
Ethernet keepalives or loop frames (useless on full-duplex media)
Weird stuff like DECnet MOP (topic of another question a few days ago)
Have a separate management VLAN for the switch's own IP address
You'll want to disable PIM snooping on a Cisco as this breaks IPv6.

score 8 · Answer 2 · answered May 09 '13 at 07:56

This is where switches such as the Metro-E series from Cisco come in, by default all the downstream ports run in UNI mode which means that they dont send out CDP, STP or any frames at all from other UNI ports.

Another thing you could look at is private VLAN's and then disabling things like CDP.

score 5 · Answer 3 · answered May 09 '13 at 07:15

You can search cisco-nsp@ for different propositions as to what to enable/disable on the ports. For example start here:

http://www.gossamer-threads.com/lists/nanog/users/124659?do=post_view_threaded

Depending on your particular Cisco switch - Catalyst or Nexus, you may also search cisco.com for specific design practices. For example, for Catalyst 6500:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml

score 2 · Answer 4 · answered May 16 '13 at 09:29

2

also worth ensuring you nail down .1q/tagging negotiation http://www.curtis-lamasters.com/cisco-switching-switchport-nonegotiate/

answered May 16 '13 at 09:29

Paul M

121
2

score 0 · Answer 5 · answered May 21 '13 at 18:01

0

cisco have the option 'switchport protected' that can provide basic L2 protection between ports. No traffic can be exchanged between protected ports. Yet, they can send and receive traffic to/from unprotected ports.

answered May 21 '13 at 18:01

guest

1

That does little to make the port silent. It only limits who will hear it. – Ricky May 21 '13 at 18:21

In a multi-tenant environment what should be done to make your switchports silent on Cisco and Juniper switches?

5 Answers5