[194203] in North American Network Operators' Group
How to secure link between switches in Layer2
daemon@ATHENA.MIT.EDU (Pedro)
Sat Mar 25 06:03:13 2017
X-Original-To: nanog@nanog.org
From: Pedro <piotr.1234@interia.pl>
To: nanog list <nanog@nanog.org>
Date: Sat, 25 Mar 2017 11:00:02 +0100
Errors-To: nanog-bounces@nanog.org
Hello,
Sometimes i have situation that i have to extend my layer2 (access,
trunk mode) network to third parties with limited trust. Sometimes it's
L2 MPLS links from isp (1x or 2x), sometimes it's just colocated switch.
Mostly there are Juniper Ex4200/4300 or and Cisco 3750. Below i puts my
config but maybe i miss something important ? Or i should correct ?
Thanks for help
1.
If two p2p links: aggregation with LACP
2.
stp/rstp in portfast mode on access port
stp/rstp without portfast mode on trunk port
rstp root guard
3.
on ports facing servers, in portfast mode, bpdu guard
spanning-tree root guard
4.
max amount of mac addresses ie 100
per port per vlan max mac address
5.
802.1q with vlans, but not vlan 1
6.
broadcast storm for bum packets: 10 pps
7.
static ip - no dhcp servers/clients in vlans
8.
cpu monitoring with notification in ie zabbix
9.
cdp disable (if cisco)
dtp disable (if cisco)
10.
eventually policer per port or per vlan.
thanks in advance,
Pedro
