[194206] in North American Network Operators' Group
Re: How to secure link between switches in Layer2
daemon@ATHENA.MIT.EDU (Pedro)
Sat Mar 25 09:24:55 2017
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Pedro <piotr.1234@interia.pl>
Date: Sat, 25 Mar 2017 14:21:44 +0100
In-Reply-To: <3a2d8bd5-e1f0-a4aa-c231-a873f6898d7d@winterei.se>
Errors-To: nanog-bounces@nanog.org
I mean loop, flood, high cpu because tcn/tca etc
IMHO sniffing is not a case in my scenario, i suppose but i'll remember this
W dniu 2017-03-25 o 13:21, Paul S. pisze:
> What exactly does "limited trust" mean?
>
> Are you worried they might sniff the data on the link, or?
>
> If so, macsec is really your only remedy.
>
> On 3/25/2017 07:00 PM, Pedro wrote:
>> Hello,
>>
>> Sometimes i have situation that i have to extend my layer2 (access,
>> trunk mode) network to third parties with limited trust. Sometimes
>> it's L2 MPLS links from isp (1x or 2x), sometimes it's just colocated
>> switch. Mostly there are Juniper Ex4200/4300 or and Cisco 3750. Below
>> i puts my config but maybe i miss something important ? Or i should
>> correct ?
>>
>> Thanks for help
>>
>>
>> 1.
>> If two p2p links: aggregation with LACP
>>
>> 2.
>> stp/rstp in portfast mode on access port
>> stp/rstp without portfast mode on trunk port
>> rstp root guard
>>
>> 3.
>> on ports facing servers, in portfast mode, bpdu guard
>> spanning-tree root guard
>>
>> 4.
>> max amount of mac addresses ie 100
>> per port per vlan max mac address
>>
>> 5.
>> 802.1q with vlans, but not vlan 1
>>
>> 6.
>> broadcast storm for bum packets: 10 pps
>>
>>
>> 7.
>> static ip - no dhcp servers/clients in vlans
>>
>> 8.
>> cpu monitoring with notification in ie zabbix
>>
>> 9.
>> cdp disable (if cisco)
>> dtp disable (if cisco)
>>
>> 10.
>> eventually policer per port or per vlan.
>>
>>
>>
>> thanks in advance,
>> Pedro
>>
>
>
