06-21-2011 09:58 AM - edited 03-04-2019 12:46 PM
Hi
I run a small WISP, and now expanding to also connect some customers via fiber.
They will get public IPs via DHCP.
Planning on using ISC DHCP, and option 82, to protect against dhcp starvation attack.
Managed CPE will take care of rate limit.
But what other ACLs etc would you reccomed implementing on access ports where I connect these clients.
Don`t want anybody to make problems on the network, like create storming, virus traffic etc.
Will be very greatefull for all good advice
06-24-2011 06:30 AM
Well, in case of an ISP is quite tricky, if you sell internet service, should be unrestricted.
Also, if you start creating local layer 2 ACL on everyport, will not be so easy to manage them in the future, if you will have 5000 access ports and you would like to add or remove one TCP port from every access port.
If you would like to protect against virus and this kind of problems, try pvlans and if you can afford, add one ASA or IPS in distribution layer for filtering.
06-24-2011 07:10 AM
Good point.
But using PVLAN customers in my net can not communicate with each other right?
If for instance Custmer A with IP 84.32.38.198/25 VLAN15 P16 tries to communicate with Custmer B IP 84.32.38.163/25 VLAN15 P3, then they can not reach each other...
Or have I missunderstood something here?
Also ACLs will be per switch (except uplink ports) so changing the shold be managable...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide