[c-nsp] Campus - Best Practices

David West david.h.west at gmail.com
Tue Jun 27 22:19:50 EDT 2006 

I've done a similar project using 2950-EI switches to feed about 8000
apartments, here's a couple recommendations from that experience:

ACLs on every user facing port
-drop DHCP server replies, etc (helpful when somebody plugs the wrong side
of the Linksys in)

Definitely use VLANs to break up the broadcast domain
-also gives you another layer 3 chokepoint for ACLs

Look into DHCP snooping, dynamic ARP inspection (DAI) and IP source guard,
they are great layer 2 security features

You can also use "protected ports" which will only allow a protected mode
port to talk to a promiscuous port (usually the router) or private VLANs,
however this breaks pretty much all peer to peer type activity (if that's a
problem) as no hosts can talk to other hosts on local subnet.

NAC at layer 2 has specifc platform/code requirements and does require an
agent on the end user PC, as does Clean Access (if you really want to make
the most of it).

-DW


On 6/27/06, Paul Stewart <pstewart at nexicomgroup.net> wrote:
>
> We are currently bidding on a campus deployment for a local educational
> facility.  The requirement involves approximately 1000 ethernet drops to
> student residences.
>
> Cisco Clean Access (or NAC) is a requirement and we are considering
> deploying Cisco 3560-48TS switches throughout the campus linked on GigE
> fiber between them.  Our original plan was for something along the lines
> of 6509's but because of the way the ethernet drops are located, we need
> to put smaller switches in more locations than a centralized deployment.
>
> A Cisco 7206VXR would then provide DHCP services with public IP
> addresses (a requirement) to each of the desktops via the switches.
>
> What is best practice in a setup like this and/or should we look at a
> completely different setup?  I presume NAC can communicate via SNMP with
> almost any switch that supports VLAN's?
>
> Because this is really one large LAN, what kind of security can be
> provided to stop "snooping" of other traffic, man-in-middle attacks etc.
> etc?  Any pointers from people who have done lots of these would be very
> appreciated.  Also, traffic will be approximately 200 Mb/s throughout
> the entire network at peak time....
>
> Thanks in advance,
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Progress isn't made by early risers. It's made by lazy men trying to find
easier ways to do something.
  - Robert Heinlein

More information about the cisco-nsp mailing list