[c-nsp] WS-C2950-EI as ISP access, best practices

Neal Rauhauser neal.rauhauser at gmail.com
Wed Mar 16 15:21:29 EDT 2011


 Customers don't have access to native VLAN, I clipped that bit from the
config, didn't seem relevant. Overall this network is too open.

  I've seen 2950s just melt down when small dumb access switch on the far
end had one cable plugged into two ports - 99.44% usage no way to gain
remote access. Will switchport protected put a stop to stuff like that?

   All good suggestions here, Cisco site wasn't so helpful - enterprise
switch in an access role is not something they'd document. As I recall the
ME catalysts have special goodies to deal with access stuff like this, so
it's going to be a cobble-job. I will check Cymru to see what's good there.

   Thanks for the quick response.




On Wed, Mar 16, 2011 at 1:29 PM, Keegan Holley <keegan.holley at sungard.com>wrote:

>
> I'm assuming by apartment complex you mean just internet access for users
> and no LAN is required.  Have you tried the usual sources like Cmyru and
> cisco.  I know Cymru has some pretty good templates for general device
> hardening and cisco is trying to take over the world these days.  One
> suggestion I could give is to use switchport protected.  It's the poor man's
> private vlan, which I would suggest if it were supported on the 2950.  That
> will keep you from having to worry about acl's and the like.  Also, loops
> will be relegated to a single port.  Definitely some kind of storm control
> or broadcast/multicast/unknown rate-limiting.  You also need to secure
> spanning tree.  Root guard, cost manipulation and bpdu filter (not guard)
> should all be added.  Changing the native vlan is a good thing too.  I'd
> find some kind of way to monitor and throughput and errors.  Switches that
> old are bound to have some bad ports.  Plus any bridging loops and/or bw
> hogs will be easy to track.  Cacti would probably do well here.
>
> HTH,
>
>
> On Wed, Mar 16, 2011 at 2:13 PM, Neal Rauhauser <neal.rauhauser at gmail.com>wrote:
>
>>    I've just inherited a plant with a few dozen WS-C2950-EI doing access
>> duty - an apartment complex. We've had just ridiculous stuff, like certain
>> models of customer NAT device that will helpfully reforward an unknown
>> unicast frame(!), and I've pretty well had my fill of Windows antics on
>> this
>> thing.
>>
>>   Right now this is applied to all ports. Limit seems to be 132 entries
>> spread across all ports, so 5 entries x 24 ports is all we could do.
>>
>> ip access-list extended nbtetc4
>>  deny   udp any any eq netbios-ns
>>  deny   udp any any eq 5355
>>  deny   udp any any eq 5353
>>  deny   udp any any eq 1900
>>  permit ip any any
>>
>>
>>  We're also dumping unknown multicast.
>>
>> interface FastEthernet0/11
>> switchport block multicast
>>  ip access-group nbtetc4 in
>>
>>   Doing this brought it down to a dull roar & customer calls stopped, but
>> I'd like to know if there is a tidy cookbook for what to do with these
>> machines in an access environment.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>


More information about the cisco-nsp mailing list