[c-nsp] list wisdom please, Cisco switches

Tue Jan 15 19:07:49 EST 2013

On Tue 2013-01-15 at 10:58 AM Nick Hilliard wrote:

> I don't get why people shouldn't be able to ping each other / etc.  Isn't
> this traffic functionally equivalent to any other Internet traffic?  What's
> different about it?

Easy - the Internet is a routed L3 infrastructure with security measures in place vs. an open L2 LAN. Ever done a packet capture off of an idle Windows machine? :(

> Yeah that's the reason. Its not about talking to one another, its about
> protecting from attacks that could allow snooping on traffic flows, to
> hijacking.

It should be. You're providing an Internet service, not a building-wide Windows "HomeGroup" or vessel for neighbors to watch each other's iTunes. For some reason people get very cranky if they can see their neighbor's printer. security is of course a real concern. Like NetBios of old there is a lot of multicast-based stuff that really shouldn't be let out of a LAN at all. This PeerDNS/Bonjour stuff really bugs the hell outta me. I'm very much in agreement with the opinion that almost all residential users should have a router/firewall, but customers won't be very sympathetic to that line of reasoning while their printer is spewing screenshots from 4chan that the kid up in 703 thought would be funny. Of course that's not to say people won't get cranky if their online banking session is hijacked - but you'll likely get a call about the former before the latter.

What you really need depends on a lot of variables as you haven't provided many requirements. Is this a data-only service or is triple-play with VoIP and IPTV? Will you provide CPE? What speeds are you selling your customers; 30 Mbps, 100 Mbps, Gigabit? How much do you expect them to actually use, or what sort of oversubscription? PPPoE or plain IP? MPLS required? Where do you plan on being network- and bandwidth-wise in the next 3-5 years? Are there any special requirements for heat, power, or tight spaces? What are your redundancy and availability requirements? What's your budget?

As a PPPoE shop where we just give our customers a cable to plug into, I'm happy with some storm control, private VLANs, and ethertype filtering. If you're doing DHCP to your subscribers stuff gets really fun! Nick's list of features is a good one.

If I was in your shoes, in the market my employer serves, providing only Internet service, I'd be looking at a 2960-24TC-L on every storey with fiber to a couple of 3600X-24CX-24FSes or ME4924-10GEs hauling back to the POP, upgrading to 10G if/when necessary (I assume there's a pair of fibers to the building). Depending on where the POP is I might want MPLS. If power and space in the basement isn't a concern (doubtful, but you never know) I can get used 6500s for pretty cheap which would make it a standard platform and nothing 'special' for us to deal with.

Then again, if you want to push gigabit to all of your subscribers and everything is DHCP and your network is a lot of Layer 2, I might look at some of the telco edge vendors like Calix as well.

Hope this helps some!

- Ross