[c-nsp] WS-C2950-EI as ISP access, best practices
Keegan Holley
keegan.holley at sungard.com
Wed Mar 16 14:29:25 EDT 2011
I'm assuming by apartment complex you mean just internet access for users
and no LAN is required. Have you tried the usual sources like Cmyru and
cisco. I know Cymru has some pretty good templates for general device
hardening and cisco is trying to take over the world these days. One
suggestion I could give is to use switchport protected. It's the poor man's
private vlan, which I would suggest if it were supported on the 2950. That
will keep you from having to worry about acl's and the like. Also, loops
will be relegated to a single port. Definitely some kind of storm control
or broadcast/multicast/unknown rate-limiting. You also need to secure
spanning tree. Root guard, cost manipulation and bpdu filter (not guard)
should all be added. Changing the native vlan is a good thing too. I'd
find some kind of way to monitor and throughput and errors. Switches that
old are bound to have some bad ports. Plus any bridging loops and/or bw
hogs will be easy to track. Cacti would probably do well here.
HTH,
On Wed, Mar 16, 2011 at 2:13 PM, Neal Rauhauser <neal.rauhauser at gmail.com>wrote:
> I've just inherited a plant with a few dozen WS-C2950-EI doing access
> duty - an apartment complex. We've had just ridiculous stuff, like certain
> models of customer NAT device that will helpfully reforward an unknown
> unicast frame(!), and I've pretty well had my fill of Windows antics on
> this
> thing.
>
> Right now this is applied to all ports. Limit seems to be 132 entries
> spread across all ports, so 5 entries x 24 ports is all we could do.
>
> ip access-list extended nbtetc4
> deny udp any any eq netbios-ns
> deny udp any any eq 5355
> deny udp any any eq 5353
> deny udp any any eq 1900
> permit ip any any
>
>
> We're also dumping unknown multicast.
>
> interface FastEthernet0/11
> switchport block multicast
> ip access-group nbtetc4 in
>
> Doing this brought it down to a dull roar & customer calls stopped, but
> I'd like to know if there is a tidy cookbook for what to do with these
> machines in an access environment.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list