09-06-2010 08:27 PM - edited 03-04-2019 09:40 AM
Hi all,
What is the best way to secure your network from ISP? we take 3 branchs fiper optic VPN connections from ISP, they do L2 VLAN each of them, all 3 has our lan ip address and working like a lan, main switch is cisco L3 switch and another L3 switch and one L2 switch. So if ISP configure VLAN with same us they will definitely can access our network, so what is the best way to secure it?
Thanks
09-07-2010 01:31 AM
you could use port security and secure mac addresses that can be learnt on both sides
that way if isp taps in, they would not be able to do anything or reach anything
In my experience though , ISP only 'taps' into a vlan if you have a big problem and they need to troubleshoot. Personally , i wouldnt get too paranoid with ISP and target security towards real 'outsiders'
another way around is to have 2 separate networks, configure a point to point /30 between them ( on isp vlan) and then use a static arp entry for both ends-- this would need far less configuration than securing all mac addresses etc..
im sure there are lots and lots of different ways, more variety if you had a layer 3 network .
note : in all these cases, isp can still sniff traffic , only way around this is if you have your own private circuits , or if you do encryption ( using layer 3)
i think in your set up , probably L2 port security best thing to do, audit your network , see the mac addresses learnt, secure the perimeters with your list
09-07-2010 08:44 PM
Thanks, Rob
I'm just wondering both L3 switch port and L2 switch ports are connected to the fiber media convertors and fiber media convertors connected to the ISP L2 switch and L2 switch configures Untagged vlan on both ports, so if you configure switchport port-security mac-address of L3 switchport on L2 switch?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide