this is probably going to sound really dumb but I still want to throw this out there JUST in case there's some way to improve security on the switches. It's actually more about security and better attack deflection on the switches than security of the switches themselves.
I have two 3560s at the headend of the network with routing turned on, and static routes to the upstream provider. behind it runs a VoIP network and a data network (web/ftp etc). In the headend switches, VLANs have been configured along with access-lists such that traffic coming into/out of the SIP ports and media ports is tagged with appropriate COS etc. and sent to the switchports where the SBCs are physically connected to the switches. I'm taking the chance/trusting that the built-in NAT/Firewall of the SBC (software modules provided by the SBC vendor) will do whatever it can to defend itself. The data traffic is being gated by the ASA5520s (Without AIP or CSC SSM). I have tight access rules on the ASA5520 which is protecting the internal network but it's getting hammered with all sorts of attacks incl. ICMP floods, Multi-port attacks, UDP bombs and such. This obv has side-effects like excess data usage (my ISP gives us unshaped GigE tails but data is charged) and not to mention, since it's all coming through on the same WAN pipe there's danger for it to mangle the VoIP traffic causing occasional bad quality.
So the question is, what can I do on the switches and on the firewall with what I have, to reduce this and make my network more efficient.
The reason I said it may be a dumb question is because ideally I'd like to block out traffic from known offenders but I can't prevent someone from attacking my network. Defending against it means it still hits my Firewall (as my ISP will simply fwd traffic bound for my IP-block to my routers/switches, which at the moment have no rules to prevent the traffic coming in so they pass it on to the SBCs or the ASAs depending on what IP is being attacked) and so from the ISP's perspective, that traffic still counts towards my data usage which has soared to double in the past 6 mths and I know we're not doing that much business (as then I'd have the money to buy firewall/IPS services from my ISP to filter attacks at the door and only fwd clean traffic to us PLUS be able to purchase AIP & CSC)
I'll leave this at that till I have questions come in for specific clarifications or just suggestions would also help :)
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...