Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1 So on so forth. Switches do so many darn things all by themselves, as any packet capture shows. Thanks, Joe
http://www.ams-ix.net/technical/config_guide/ has some great info specific to IX connections.. Paul -----Original Message----- From: Joe Maimon [mailto:jmaimon@ttec.com] Sent: Friday, February 20, 2009 9:42 AM To: nanog@nanog.org Subject: external L2 ethernet connections Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1 So on so forth. Switches do so many darn things all by themselves, as any packet capture shows. Thanks, Joe ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Joe, I take credit card payments ....and we can agree on a daily rate ...as after all you are into "IT Consultancy". Just use the available search engine optimizers to build your knowledge based by performing the "black had v white hat" searches :-) I am here still ....what is your budget? --- On Fri, 2/20/09, Joe Maimon <jmaimon@ttec.com> wrote:
From: Joe Maimon <jmaimon@ttec.com> Subject: external L2 ethernet connections To: nanog@nanog.org Date: Friday, February 20, 2009, 3:41 PM Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's
cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1
So on so forth.
Switches do so many darn things all by themselves, as any packet capture shows.
Thanks,
Joe
I like your community spirit. Are you a member of the NANOG community because: a) You want to educate yourself b) You want to educate others c) You want to participate in flame wars d) You want to read flame wars e) You want to denigrate those seeking to educate themselves or others You cant have your cake and eat it too. Thanks but no thanks, I am going to avoid the pissing contest. Joe isabel dias wrote:
Joe,
I take credit card payments ....and we can agree on a daily rate ...as after all you are into "IT Consultancy". Just use the available search engine optimizers to build your knowledge based by performing the "black had v white hat" searches :-)
I am here still ....what is your budget?
--- On Fri, 2/20/09, Joe Maimon <jmaimon@ttec.com> wrote:
From: Joe Maimon <jmaimon@ttec.com> Subject: external L2 ethernet connections To: nanog@nanog.org Date: Friday, February 20, 2009, 3:41 PM Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's
cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1
So on so forth.
Switches do so many darn things all by themselves, as any packet capture shows.
Thanks,
Joe
I ma not too sure if that is a comment that needs another expert answer .....but i can think of a few possible answers YES. "although I'm a little afraid, however I'd like to try it" ....."IT Consultancy"? --- On Fri, 2/20/09, Joe Maimon <jmaimon@ttec.com> wrote:
From: Joe Maimon <jmaimon@ttec.com> Subject: Re: external L2 ethernet connections To: isabeldias1@yahoo.com Cc: nanog@nanog.org Date: Friday, February 20, 2009, 4:07 PM I like your community spirit.
Are you a member of the NANOG community because:
a) You want to educate yourself b) You want to educate others c) You want to participate in flame wars d) You want to read flame wars e) You want to denigrate those seeking to educate themselves or others
You cant have your cake and eat it too.
Thanks but no thanks, I am going to avoid the pissing contest.
Joe
isabel dias wrote:
Joe, I take credit card payments ....and we can agree on a daily rate ...as after all you are into "IT Consultancy". Just use the available search engine optimizers to build your knowledge based by performing the "black had v white hat" searches :-)
I am here still ....what is your budget?
--- On Fri, 2/20/09, Joe Maimon <jmaimon@ttec.com> wrote:
From: Joe Maimon <jmaimon@ttec.com> Subject: external L2 ethernet connections To: nanog@nanog.org Date: Friday, February 20, 2009, 3:41 PM Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's
cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1
So on so forth.
Switches do so many darn things all by themselves, as any packet capture shows.
Thanks,
Joe
If you're using a Cisco device on your side, you'll likely want to disable MOP as well: http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K205233... Adam Davenport / adam@choopa.com www.choopa.com / 1.866.2.CHOOPA Joe Maimon wrote:
Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's
cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1
So on so forth.
Switches do so many darn things all by themselves, as any packet capture shows.
Thanks,
Joe
On Fri, Feb 20, 2009 at 9:59 AM, Adam Davenport <adam@choopa.com> wrote:
If you're using a Cisco device on your side, you'll likely want to disable MOP as well:
http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K205233...
Adam Davenport / adam@choopa.com www.choopa.com / 1.866.2.CHOOPA
A more sensible approach is to not run Enterprise code if you only need to route IP. Paul Wall
All of the protocols below should be turned off; my understanding is that with dot1q trunking vlan1 cannot be removed from the trunk, although Cisco's isl trunking allows the removal of all vlans. If Cisco equipment is used, the "bpdu filter" command is useful as it instructs the switch to neither send bpdus nor accept them. These are good practices not just for connectivity to other AS's, but also in cases where Ethernet switches comprise a geographically dispersed WAN backbone. The key is to turn off all layer 2 state machines in the connected Ethernet switches, enabling only layer 3 state machines. We have found with some vendors' equipment that the layer 2/layer 3 state machines are not tightly integrated so, for instance, a cam timeout in layer 2 will remove the underlying port/mac table entry for a destination layer 3 network, resulting in unknown unicast flooding with noticeable effects on user response time. -----Original Message----- From: Joe Maimon [mailto:jmaimon@ttec.com] Sent: Friday, February 20, 2009 6:42 AM To: nanog@nanog.org Subject: external L2 ethernet connections Does anyone have a best practice list of things to disable/filter/turn off on ethernet ports l2 connected to other AS's cdp stp switchport negotiate vtp if trunking, limit vlans, no vlan1 So on so forth. Switches do so many darn things all by themselves, as any packet capture shows. Thanks, Joe
participants (6)
-
Adam Davenport -
Holmes,David A -
isabel dias -
Joe Maimon -
Paul Stewart -
Paul Wall