No STP authentication.. Avoiding spanning-tree loops has always been a issue networks have lived with and overcame with;
Loopguard (distribution layer, core)
Bpduguard(edge, hostports)
Guard root(downstream links form real root bridges)
Port-security(max 3)
802.1x(host ports)
Understand spanning-tree, how it works and where your root bridges are and manually configuring your bridges with the lowest possible priorities.
Other than that there is the latest IETF drafts on TRILL, and cisco's Fabric Path that will change the way that we see and use switches without the need for STP. The current Nexus code for 5k's are the only devices in the cisco arsenal that support Fabric Path that I'm aware of. There was some hype with L2MP (layer 2 multi-Path) however I believe that L2MP gave way to Trill.
However, if you want a solution without spanning tree you will need to deploy Nexus class switches, and use vPC'.
Regards,
Joe Sanchez
On Jan 12, 2012, at 4:25 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:
> That's totally beyond the scope of STP or its original purpose. I doubt Radia Perlman cares or even dreamed of this when she invented STP while at DEC when your parents where in high school.
>
> I suggest you look at a layer design where subnets are scoped only to a local layer 3 switch and you run OSPF MD5 authentication between each device.
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE KID
> Sent: Thursday, January 12, 2012 1:22 PM
> To: Cisco certification; CCIE OSL
> Subject: OT: Authentication in STP
>
> Hi fellas,
>
> My customer is asking for any authentication in STP. Can someone tell me that if there is any Authentication mechanism in STP to validate to correct birdges with some hash value and try to avoid rogue bridges with this. I searched in RFC's and i guess there is no Authentication mechanism in STP .
> So is there any other IEEE standard for STP Authentication.
> I found Cisco Proprietary Root Guards which basically tells avoid any superior BPDUs and avoid that port as Root port.
>
> I know Root Guard doesnt do any authentication . But is there any other mechnaism where can do authenticating the bridges in STP logic
>
> I believe Radia Perlman is still kicking for this :)
>
>
> --
> With Warmest Regards,
>
> CCIE KID
> CCIE#29992 (Security)
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 07:03:31 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART