[c-nsp] WS-C2950-EI as ISP access, best practices

Keegan Holley keegan.holley at sungard.com
Wed Mar 16 14:29:25 EDT 2011


I'm assuming by apartment complex you mean just internet access for users
and no LAN is required.  Have you tried the usual sources like Cmyru and
cisco.  I know Cymru has some pretty good templates for general device
hardening and cisco is trying to take over the world these days.  One
suggestion I could give is to use switchport protected.  It's the poor man's
private vlan, which I would suggest if it were supported on the 2950.  That
will keep you from having to worry about acl's and the like.  Also, loops
will be relegated to a single port.  Definitely some kind of storm control
or broadcast/multicast/unknown rate-limiting.  You also need to secure
spanning tree.  Root guard, cost manipulation and bpdu filter (not guard)
should all be added.  Changing the native vlan is a good thing too.  I'd
find some kind of way to monitor and throughput and errors.  Switches that
old are bound to have some bad ports.  Plus any bridging loops and/or bw
hogs will be easy to track.  Cacti would probably do well here.

HTH,


On Wed, Mar 16, 2011 at 2:13 PM, Neal Rauhauser <neal.rauhauser at gmail.com>wrote:

>    I've just inherited a plant with a few dozen WS-C2950-EI doing access
> duty - an apartment complex. We've had just ridiculous stuff, like certain
> models of customer NAT device that will helpfully reforward an unknown
> unicast frame(!), and I've pretty well had my fill of Windows antics on
> this
> thing.
>
>   Right now this is applied to all ports. Limit seems to be 132 entries
> spread across all ports, so 5 entries x 24 ports is all we could do.
>
> ip access-list extended nbtetc4
>  deny   udp any any eq netbios-ns
>  deny   udp any any eq 5355
>  deny   udp any any eq 5353
>  deny   udp any any eq 1900
>  permit ip any any
>
>
>  We're also dumping unknown multicast.
>
> interface FastEthernet0/11
> switchport block multicast
>  ip access-group nbtetc4 in
>
>   Doing this brought it down to a dull roar & customer calls stopped, but
> I'd like to know if there is a tidy cookbook for what to do with these
> machines in an access environment.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list