I think it would be an interesting conversation to discuss what a properly defined network edge would look like. Specifically the access switch edge, not internet edge.
For the sake of the conversation, let’s assume a few things about this fictitious network. All cisco devices, in a core/distribution/access 3 tier fashion.
Core is layer3 to the distribution, over these layer3 links, ospf is used to send routing information to the cores. Distribution has layer 3 svi’s configured that are trunked to the access switches. In most but not all cases distribution can be a single distribution switch with l3 uplinks to corea and coreb.
Distribnution1 is set with stp rapid-pvst, and has a priority of 8192. It has an etherchannel to distB with all vlans allowed. Distribution2 is set with stp rapid-pvst, and has a priority of 16384. They use hsrp and each supports all client vlans in a deterministic fashion making distribution1 the primary for layer2 and layer3. Trunks from the distribution all have explicit vlan allow statements towards the access switches. Rootguard is configured on distribution ports facing the access ports.
The edge has uplinks to dist1 and dist2. The edge has vlans defined that are used on the switch. ideally each access switch has it’s own defined vlan however some things are trunked to multiple access switches. Access switches have portfast default and portfast bpduguard default enabled. Access switches have rapid port vlan stp priority set to 20480.
Ok, so with that out of the way – how do you protect your edge?
Port security? What do you care about. What threshholds do you use?
Do you filter at the edge? acl’s vacls? What and why?
Does anyone care about voice vlans anymore?
Anyone still use private-vlans? Why?
802.1x ? dynamic vlan assignments? How do you get it to scale to thousands of switches?
Anyone looked at clearpass
Do you force non-trunking (dtp off)
vtp transparent?
Do not ever use vlan 1
Do you still use a dummy vlan or shutdown unused ports?
Dhcp snooping/ip sourceguard / dynamic arp inspection?
Storm control? What parameters?
How do you manage Qos across a huge variety of switches, and in some cases against a huge number of families of line cards per switch platform? Is it even worth it ?
I am genuinely curious what other enterprise network folks are doing with their setups and how they find it working out in the real world where users come and go and requirements change quickly. On some level the expectation is the network should just work and should enable the business to do useful work without getting in the way. The other hand is that the network should be generally protected – where is the trade off? What do you wish you were doing that you are not – what do you hate the way you are doing now and wish you could change?
No comments:
Post a Comment