[c-nsp] vlans to customer - good practise / myth to bust !
vince anton
mvanton at gmail.com
Tue Aug 4 14:59:23 EDT 2009
thanks - glad to know that this model is in use
what keeps on buzzing at the back of my mind is that I have a layer2
connection (actually a number of them) from my switch to many switches (of
customers) that i have no control over.
so not only is this a large L2 network (and best practise says to reduce the
size of your L2 domain) but most of it is not within my control !
so do you typically use bpdufilter, only allow tagged vlans, not use vtp -
and this keeps things under control ?
thanks for your feedback
anton
2009/8/3 Mikael Abrahamsson <swmike at swm.pp.se>
> On Mon, 3 Aug 2009, vince anton wrote:
>
> My concern here is whether this is best practise for delivering such
>> services, or if other ways of doing this are out there and proven better.
>>
>
> No, that's a common model.
>
> Last but not least, security. what if a customer plugs the fibre link
>> into his switch with a bunch of other vlans running. the only form of
>> 'protection' that I currently have is restriction of vlans on the trunk from
>> the customer, but some traffic (like spanning tree) travels on vlan1 as far
>> as i recall and this cannot be blocked. another item would be vlan hopping.
>>
>
> Well, you probably want to enable stp filters if you dont expect stp
> packets to come in on the link. Disabling the use of vlan 1 onto the
> customer link might be good as well (ie only use tagged vlans, do not run
> native vlan 1 onto customer link).
>
> Im just after some pointers from what you all do out there to offer
>> similar
>> services, what the best practises for this are, lessons learnt, etc... so
>> I
>> can then delve into the details given the pointers, to ensure im running
>> inline with tried and testing ways of doing things.
>>
>
> Vlan hopping shouldn't be a problem with modern equipment, but it might be
> good to verify that the one you're using doesn't have this problem.
>
> --
> Mikael Abrahamsson email: swmike at swm.pp.se
>
--
Thanks,
anton
More information about the cisco-nsp
mailing list