[c-nsp] vlans to customer - good practise / myth to bust !

[Mikael Abrahamsson]

On Mon, 3 Aug 2009, vince anton wrote:

> My concern here is whether this is best practise for delivering such
> services, or if other ways of doing this are out there and proven better.

No, that's a common model.

> Last but not least, security.  what if a customer plugs the fibre link 
> into his switch with a bunch of other vlans running.  the only form of 
> 'protection' that I currently have is restriction of vlans on the trunk 
> from the customer, but some traffic (like spanning tree) travels on 
> vlan1 as far as i recall and this cannot be blocked. another item would 
> be vlan hopping.

Well, you probably want to enable stp filters if you dont expect stp 
packets to come in on the link. Disabling the use of vlan 1 onto the 
customer link might be good as well (ie only use tagged vlans, do not run 
native vlan 1 onto customer link).

> Im just after some pointers from what you all do out there to offer similar
> services, what the best practises for this are, lessons learnt, etc...  so I
> can then delve into the details given the pointers, to ensure im running
> inline with tried and testing ways of doing things.

Vlan hopping shouldn't be a problem with modern equipment, but it might be 
good to verify that the one you're using doesn't have this problem.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se