Best way to secure your network from ISP?

Unanswered Question
Sep 6th, 2010
User Badges:

Hi all,

What is the best way to secure your network from ISP? we take 3 branchs fiper optic VPN connections from ISP, they do L2 VLAN each of them, all 3 has our lan ip address and working like a lan, main switch is cisco L3 switch and another L3 switch and one L2 switch. So if ISP configure VLAN with same us they will definitely can access our network, so what is the best way to secure it?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Julio Garcia Tue, 09/07/2010 - 01:31
User Badges:
  • Bronze, 100 points or more

you could use port security and secure mac addresses that can be learnt on both sides

that way if isp taps in, they would not be able to do anything or reach anything

In my experience though , ISP only 'taps' into a vlan if you have a big problem and they need to troubleshoot.  Personally , i wouldnt get too paranoid with ISP and target security towards real 'outsiders'

another way around is to have 2 separate networks, configure a point to point /30 between them ( on isp vlan) and then use a static arp entry for both ends-- this would need far less configuration than securing all mac addresses etc..

im sure there are lots and lots of different ways, more variety  if you had a layer 3 network .

note : in all these cases, isp can still sniff traffic , only way around this is if you have your own private circuits , or if you do encryption ( using layer 3)

i think in your set up , probably L2 port security best thing to do, audit your network , see the mac addresses learnt, secure the perimeters with your list

Tulga Bat Tue, 09/07/2010 - 20:44
User Badges:

Thanks, Rob

I'm just wondering both L3 switch port and L2 switch ports are connected to the fiber media convertors and fiber media convertors connected to the ISP L2 switch and L2 switch configures Untagged vlan on both ports, so if you configure switchport port-security mac-address of L3 switchport on L2 switch?


This Discussion