Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

Ethernet WAN Links question

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


ziliomarcelo at gmail

Dec 3, 2009, 3:46 AM

Post #1 of 4 (504 views)
Permalink
Ethernet WAN Links question
Hi,

I'm facing a new situation. We are exchanging our Service Provider for MPLS
and Internet links.
We have requested them redundant MPLS and Internet connections. At the HQ
site they gave us Ethernet interfaces as media access. So far so good.

The problem is that this Service Provider gave us two Ethernet cables
configured with 802.1q being the first cable the "main" Internet and MPLS
and the second the "backup" Internet and MPLS.

They ask us to connect these cables to our LAN switches, create VLANs and
connect to our layer 3 devices so we could use four cables being two for
Internet and two for MPLS. A simple scheme

SP (802.1q main Internet and MPLS) ----- LAN Switch -----> Internet VLAN 10
(802.1q backup Internet and MPLS)-----------| -----> Internet VLAN 11
-----> MPLS VLAN 20
-----> MPLS VLAN 30
There is an option they supply the switch too.
The first thing that came to mind is security issues since we are connecting
Internet and Local Network to the same switch inside the network.

The question is: Is this a common practice? How do you handle with this
scenario?

Any input will be helpfull

Thanks
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


swmike at swm

Dec 3, 2009, 5:02 AM

Post #2 of 4 (484 views)
Permalink
Re: Ethernet WAN Links question [In reply to]
On Thu, 3 Dec 2009, Marcelo Zilio wrote:

> There is an option they supply the switch too.
> The first thing that came to mind is security issues since we are connecting
> Internet and Local Network to the same switch inside the network.

That's like saying there is a security risk in running two phonecalls in
the same T1/E1. They're logically separated, it's commonly done.

> The question is: Is this a common practice? How do you handle with this
> scenario?

Usually I'd say that the ISP will solve the handoff by having a switch or
media converter to give you one port per service, but using vlans for
logical separation has been pretty much standard procedure for 10 years in
a lot of places.

--
Mikael Abrahamsson email: swmike [at] swm
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


gert at greenie

Dec 3, 2009, 7:28 AM

Post #3 of 4 (473 views)
Permalink
Re: Ethernet WAN Links question [In reply to]
Hi,

On Thu, Dec 03, 2009 at 02:02:27PM +0100, Mikael Abrahamsson wrote:
> >There is an option they supply the switch too.
> >The first thing that came to mind is security issues since we are
> >connecting
> >Internet and Local Network to the same switch inside the network.
[..]
> Usually I'd say that the ISP will solve the handoff by having a switch or
> media converter to give you one port per service, but using vlans for
> logical separation has been pretty much standard procedure for 10 years in
> a lot of places.

But still, the underlying argument "if you connect your internal network
to the ISPs MPLS network, you need to trust your ISP" remains true.

So the question is not only separation of VLANs (which I would trust, on
sufficient recent switch gear) but also "trust towards the ISP".

Otherwise, crypto gear on top of the MPLS link is needed.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net


ziliomarcelo at gmail

Dec 3, 2009, 7:44 AM

Post #4 of 4 (468 views)
Permalink
Re: Ethernet WAN Links question [In reply to]
By security issues I was thinking something like a MAC flooding or any kind
of denial of service which could compromise the switch access so I would
have the internal LAN exposed. Is this make sense?




On Thu, Dec 3, 2009 at 11:02 AM, Mikael Abrahamsson <swmike [at] swm>wrote:

> On Thu, 3 Dec 2009, Marcelo Zilio wrote:
>
> There is an option they supply the switch too.
>> The first thing that came to mind is security issues since we are
>> connecting
>> Internet and Local Network to the same switch inside the network.
>>
>
> That's like saying there is a security risk in running two phonecalls in
> the same T1/E1. They're logically separated, it's commonly done.
>
>
> The question is: Is this a common practice? How do you handle with this
>> scenario?
>>
>
> Usually I'd say that the ISP will solve the handoff by having a switch or
> media converter to give you one port per service, but using vlans for
> logical separation has been pretty much standard procedure for 10 years in a
> lot of places.
>
> --
> Mikael Abrahamsson email: swmike [at] swm
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.