Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best way to secure your network from ISP?

Hi all,

What is the best way to secure your network from ISP? we take 3 branchs fiper optic VPN connections from ISP, they do L2 VLAN each of them, all 3 has our lan ip address and working like a lan, main switch is cisco L3 switch and another L3 switch and one L2 switch. So if ISP configure VLAN with same us they will definitely can access our network, so what is the best way to secure it?



Re: Best way to secure your network from ISP?

you could use port security and secure mac addresses that can be learnt on both sides

that way if isp taps in, they would not be able to do anything or reach anything

In my experience though , ISP only 'taps' into a vlan if you have a big problem and they need to troubleshoot.  Personally , i wouldnt get too paranoid with ISP and target security towards real 'outsiders'

another way around is to have 2 separate networks, configure a point to point /30 between them ( on isp vlan) and then use a static arp entry for both ends-- this would need far less configuration than securing all mac addresses etc..

im sure there are lots and lots of different ways, more variety  if you had a layer 3 network .

note : in all these cases, isp can still sniff traffic , only way around this is if you have your own private circuits , or if you do encryption ( using layer 3)

i think in your set up , probably L2 port security best thing to do, audit your network , see the mac addresses learnt, secure the perimeters with your list

New Member

Re: Best way to secure your network from ISP?

Thanks, Rob

I'm just wondering both L3 switch port and L2 switch ports are connected to the fiber media convertors and fiber media convertors connected to the ISP L2 switch and L2 switch configures Untagged vlan on both ports, so if you configure switchport port-security mac-address of L3 switchport on L2 switch?