On Mon, 3 Aug 2009, vince anton wrote:
My concern here is whether this is best practise for delivering such services, or if other ways of doing this are out there and proven better.
No, that's a common model.
Last but not least, security. what if a customer plugs the fibre link into his switch with a bunch of other vlans running. the only form of 'protection' that I currently have is restriction of vlans on the trunk from the customer, but some traffic (like spanning tree) travels on vlan1 as far as i recall and this cannot be blocked. another item would be vlan hopping.
Well, you probably want to enable stp filters if you dont expect stp packets to come in on the link. Disabling the use of vlan 1 onto the customer link might be good as well (ie only use tagged vlans, do not run native vlan 1 onto customer link).
Im just after some pointers from what you all do out there to offer similar services, what the best practises for this are, lessons learnt, etc... so I can then delve into the details given the pointers, to ensure im running inline with tried and testing ways of doing things.
Vlan hopping shouldn't be a problem with modern equipment, but it might be good to verify that the one you're using doesn't have this problem.
-- Mikael Abrahamsson email: swm...@swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
