Recommendations for access switch config

perpaal · ‎06-21-2011

Hi

I run a small WISP, and now expanding to also connect some customers via fiber.

They will get public IPs via DHCP.

Planning on using ISC DHCP, and option 82, to protect against dhcp starvation attack.

Managed CPE will take care of rate limit.

But what other ACLs etc would you reccomed implementing on access ports where I connect these clients.

Don`t want anybody to make problems on the network, like create storming, virus traffic etc.

Will be very greatefull for all good advice

simionov.adrian · ‎06-24-2011

Well, in case of an ISP is quite tricky, if you sell internet service, should be unrestricted.

Also, if you start creating local layer 2 ACL on everyport, will not be so easy to manage them in the future, if you will have 5000 access ports and you would like to add or remove one TCP port from every access port.

If you would like to protect against virus and this kind of problems, try pvlans and if you can afford, add one ASA or IPS in distribution layer for filtering.

perpaal · ‎06-24-2011

Good point.

But using PVLAN customers in my net can not communicate with each other right?

If for instance Custmer A with IP 84.32.38.198/25 VLAN15 P16 tries to communicate with Custmer B IP 84.32.38.163/25 VLAN15 P3, then they can not reach each other...

Or have I missunderstood something here?

Also ACLs will be per switch (except uplink ports) so changing the shold be managable...