12-26-2013 10:01 PM - edited 03-04-2019 09:56 PM
Hello. I've got topology with several links from different ISPs go into switch (Catalyst 2950) and then through trunk (each ISP in its own VLAN) go into router (Cisco 2821). What settings should I apply for switch WAN ports to block unnecessary traffic from/to ISP?
no cdp enable
switchport nonegotiate
no spanning-tree vlan [isp-vlan-id]
What else?
12-27-2013 04:35 AM
You shouldn't need to do anything on the switch side. The provider will see your router and not the switch. The router on the other hand, should have CDP disabled toward the ISP and any acls that you need to have to block disallowed traffic. Disable telnet protocols on the vty lines, enable aaa for user authentication with a maximum amount of login attempts before locking the account out, disable unused protocols that you may not be using with the provider (by disable I mean passive interface for the wan toward the isp if you're using an IGP on the lan), etc.
HTH,
John
*** Please rate all useful posts ***
12-27-2013 09:31 PM
And what about CDP on switch? Why it won't generate CDP-traffic toward the ISP?
12-27-2013 06:23 AM
it would also help to know what kind of traffic you want to dissalow?
are you looking to deny certian things to certian devices?
12-27-2013 09:29 PM
I dont know exactly what kind of traffic my ISP gets form my devices (except traffic generated by users in LAN). So I'm asking about some services that are enabled by default but are not necessary on Catalyst port if it connected to ISP. I'm talking only about settings of the switch at the border between my network and ISP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide