This is one of those things that, on
the face of it, seems correct, then if you think about it for more
than 0.5 seconds, you realise it's not.
a) If all of the things you need to ensure are done on a border
switch/port, *DP are not the most dangerous. Disabling spanning
tree, disabling trunking protocols, disabling aggregation
protocols, making sure 1970s protocols are turned off, making sure
newly deployed devices have sensible ACLs, etc. It's just another
thing that should be in your device/port template, so it's not
actually any extra work at all.
b) The information you can collect via *DP is very useful, as
other posters have pointed out.
I've had this "debate" at a great many SPs/telcos, and I always
win :)
Basically, if you can't trust your staff to turn off *DP, you
should fire them all, because you can't trust them not to expose
VTP to the customer too.
adam.
On 09/11/2012 03:52, Dermot Williams wrote:
We've traditionally been wary of using discovery
protocols because we operate a pretty large Ethernet network that
extends down to the subscriber CPE in most cases - security
concerns trump utility.
- Dermot
_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium