Best Practice - Public VLAN

Similar Messages

• Questions VLAN design best practices

  As per best practices for VLAN design:
  1) Avoid using VLAN 1 as the “blackhole” for all unused ports.
  2) In the local VLANs model, avoid VTP (use transparent mode).
  Point 1
  In a big network, I'm having VLAN 1 as the blackhole VLAN. I'd like to confirm that, even if we're not complying with best practices, we're still doing fine.
  a) all trunk ports on all switches have the allowed vlans explicitly assigned.
  b) about all ports on all switches are assigned to specific data/voice vlans, even if shutted down
  c) the remaining ports (some unused sfp ports for example) are shutted down
  d) we always tag the native vlan (vlan dot1q tag native)
  So, no data is flowing anywhere on VLAN 1. In our situation, it is safe to use VLAN 1 as blackhole VLAN?
  Point 2
  Event if we're using local VLANs model, we have VTP in place. What are the reasons of the best practice? As already said, we allow only specific VLANs on trunk ports (it's part of our network policy), so we do not have undesired layer 2 loops to deal with.
  Any thoughs?
  Bye
  Dario

  We are currently using VTP version 3 and migrating from Rapid-PVST to MST.
  The main reason for having VTP in place (at least for use) is to have the ability to assign ports to the correct VLAN in each site simply looking at the propagated VLAN database and to manage that database centrally.
  We also avoid using the same VLAN ID at two different sites.
  However, I did find something to look deeped: with MST and VTP, a remote switch can be root for a VLAN it doesn't even use or as active ports into, and this doesn't feel right.
  An example:
  1) switch1 and switch528 share a link with allowed vlan 100
  2) switch1 is the root for instances 0 and 1
  4) VLAN 100 is assigned to instance 1
  5) VLAN 528 is not assigned to any particular instance so it goes under instance 0
  6) VLAN 528 is the Local Data LAN for switch528 (switch501 has VLAN 501)
  swtich528#sh spanning-tree vlan 528
  MST0
    Spanning tree enabled protocol mstp
    Root ID    Priority    24576
               Address     1c6a.7a7c.af80
               Cost        0
               Port        25 (GigabitEthernet1/1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    32768  (priority 32768 sys-id-ext 0)
               Address     1cde.a7f8.4380
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Gi0/1               Desg FWD 20000     128.1    P2p Bound(PVST)
  Gi0/2               Desg FWD 20000     128.2    P2p Edge
  Gi0/3               Desg FWD 200000    128.3    P2p Edge
  Gi0/4               Desg FWD 200000    128.4    P2p
  Gi0/5               Desg FWD 20000     128.5    P2p Edge
  switch1#sh spanning-tree vlan 501
  MST0
    Spanning tree enabled protocol mstp
    Root ID    Priority    24576
               Address     1c6a.7a7c.af80
               This bridge is the root
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    24576  (priority 24576 sys-id-ext 0)
               Address     1c6a.7a7c.af80
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Should I worry about this?

• BEST PRACTICES FOR CREATING DISCOVERER DATABASE CONNECTION -PUBLIC VS. PRIV

  I have enabled SSO for Discoverer. So when you browse to http://host:port/discoverer/viewer you get prompted for your SSO
  username/password. I have enabled users to create their own private
  connections. I log in as portal and created a private connection. I then from
  Oracle Portal create a portlet and add a discoverer worksheet using the private
  connection that I created as the portal user. This works fine...users access
  the portal they can see the worksheet. When they click the analyze link, the
  users are prompted to enter a password for the private connection. The
  following message is displayed:
  The item you are requesting requires you to enter a password. This could occur because this is a private connection or
  because the public connection password was invalid. Please enter the correct
  password now to continue.
  I originally created a public connection...and then follow the same steps from Oracle portal to create the portlet and display the
  worksheet. Worksheet is displayed properly from Portal, when users click the
  analyze link they are taken to Discoverer Viewer without having to enter a
  password. The problem with this is that when a user browses to
  http://host:port/discoverer/viewer they enter their SSO information and then
  any user with an SSO account can see the public connection...very insecure!
  When private connections are used, no connection information is displayed to
  SSO users when logging into Discoverer Viewer.
  For the very first step, when editing the Worksheet portlet from Portal, I enter the following for Database
  Connections:
  Publisher: I choose either the private or public connection that I created
  Users Logged In: Display same data to all users using connection (Publisher's Connection)
  Users Not Logged In: Do no display data
  My question is what are the best practices for creating Discoverer Database
  Connections.
  Is there a way to create a public connection, but not display it in at http://host:port/discoverer/viewer?
  Can I restrict access to http://host:port/discoverer/viewer to specific SSO users?
  So overall, I want roughly 40 users to have access to my Portal Page Group. I then want to
  display portlets with Discoverer worksheets. Certain worksheets I want to have
  the ability to display the analyze link. When the SSO user clicks on this they
  will be taken to Discoverer Viewer and prompted for no logon information. All
  SSO users will see the same data...there is no need to restrict access based on
  SSO username...1 database user will be set up in either the public or private
  connection.

  You can make it happen by creating a private connection for 40 users by capi script and when creating portlet select 2nd option in Users Logged in section. In this the portlet uses there own private connection every time user logs in.
  So that it won't ask for password.
  Another thing is there is an option of entering password or not in ASC in discoverer section, if your version 10.1.2.2. Let me know if you need more information
  thnaks
  kiran

• Best practice for Wireless ap vlan

  Is there a best practice for grouping lightweight access points in one vlan or allowing them to be spread across several ??

  Whether you have multiple sites or not, it's good practice to put your APs in a separate and dedicated VLAN. 
  If your sites are routed sites, then you can re-use the same VLAN numbers but make sure they are on separate subnets and/or VRF instance.

• Best practice regarding package-private or public classes

  Hello,
  If I was, for example, developing a library that client code would use and rely on, then I can see how I would design the library as a "module" contained in its own package,
  and I would certainly want to think carefully about what classes to expose to outside packages (using "public" as the class access modifier), as such classes would represent the
  exposed API. Any classes that are not part of the API would be made package-private (no access modifier). The package in which my library resides would thereby create an
  additional layer of encapsulation.
  However, thus far I've only developed small applications that reside in their own packages. There does not exist any "client code" in other packages that relies on the code I've
  written. In such a case, what is the best practice when I choose to make my classes public or package-private? Is it relevant?
  Thanks in advance!

  Jujubi wrote:
  ...However, thus far I've only developed small applications that reside in their own packages. There does not exist any "client code" in other packages that relies on the code I've
  written. In such a case, what is the best practice when I choose to make my classes public or package-private? Is it relevant?I've always gone by this rule of thumb: Do I want others using or is it appropriate for others to use my methodes. Are my methods "pure" and not containing package speicific coding. Can I guarentee that everything will be initialized correctly if the package is included in other projects.
  Basically--If I can be sure that the code will do what it is supposed to do and I've not "corrupted" the obvious meaning of the method, then I usually make it public--otherwise, the outside world, other packages, does not need to see it.

• Best Practice VLAN

  Hi All,
  I have got
  1 of Cisco 3560 (EMI) as Core Switch
  1 of Cisco 3560 (SMI) as Server Switch
  10 of Cisco CE500 as workgroup switches
  4 of different brands workgroup switches
  20 Servers
  300 Users
  10 different departments
  My intensions are to create VLANs on 3560 Core Switch as Server, Finance, Marketing etc
  and connect the the server and workgroup switches to the appropriate ports for their Defined VLANs on 3560Core switch.
  I dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
  Or Can anyone suggest what should be the best practice in this situation.
  thanks
  Muhammad

  I dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
  >> then you need to make the VTP a tranparent mode as you cannot create a vlan on a VTP client. I think maybe what you meant is you will have all user in a particular switch be in the same vlan, for example,
  3560 1/1---vlan 5---CE500---users in vlan 5
  In this case you do not need trunking .
  Or Can anyone suggest what should be the best practice in this situation.
  >> If your planned set-up is identical to above then this is an acceptable set-up and actually quite good for it's simplicity.
  Please rate helpful posts.

• Best practices for EasyDMS Public Folder usage/management

  Hi,
      We are implementing EDMS and are looking for best practices on the use of the Public Folder in EDMS.  We have different sites that have different business models, such as Engineer to Order or a "Projects" based business.  While other sites have a large Flow operation of standard catalog products with ordering options.   Initial thoughts are to put only documents in the public folders that are common to all users at a site, such as document templates or procedures.  Others suggest putting project folders there where anybody can browse through the different documents for a project.   And that raises the question about who is the owner or manager of that public folder.  We don't want the masses to be able to create random folders so that soon the structure of the Public Folder is a big unorganized mess.  Any thoughts on best practices you have implemented or seen in practice are appreciated.
  Thanks,
  Joseph Whiteley

  Hi!
  My suggestion is to skip the folders all together! It will end as a total mess after a couple of years. My recommendation is to use the classification of the document type and classify the document with the right information. You can then search for the documents and you don't need to look through tons of folders to find the right document.
  I know that you have to put the document in a folder to be able to create it in EasyDMS but at my customers we have a year folder and then month folders underneath where they just dump the documents. We then work with either object links or classification to find the right documents in the business processes. Another recommendation is to implement the TREX engine to be able to find your documents. I donu2019t know if this was the answer you wanted to get but I think this is the way forward if you would like to have a DMS system that could be used to 10+ years. Imagine replacing Google with a file browser!
  Best regards,
  Kristoffer P

• Best Practices to separate voice and Data vlans

  Hello All .
  I am coming to the community to get some advices on a specific subject .
  One of my customer is actually using vlan access-list to isolate it is data  from it is voice vlan traffic .
  As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
  Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
  thanks
  Regards
  T.

  thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
  Access Switches: 3560
  Distro: 4500 or 6500
  FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
  It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.

• Best practices for 1000v CTRL/PKT/MGT VLANs

  We are getting ready to start testing the 1000v in a lab environment, but have a question about VLAN best practices. In the current Cisco 1000v guides it indicates the control/packet/management interfaces should all be on the same VLAN. But elsewhere I've seen references to each network type getting its own VLAN. Given the latest release of the 1000v VSM/VEM, what is the real world best pracices for these three interfaces? Would you typically put all three on the same management VLAN used for physical switches?

  You can safely put them on the same vlan. The call to put them on different vlans was in the initial 1.1 release. We changed that view with the 1.2 release and fully support and recommend putting them all on the same vlan. The only requirement now is that we need no more than 100ms latency on the control network.
  louis

• BEST PRACTICES: How to deploy apps with public and private content & data?

  Can anyone recommend a guide, blog post, etc. on best practices for:
  - designing & deploying apps that have publicly-accessible (http + https) content, and
  - content and data for which users must be authenticated and authorized?
  NOTE: In our environment users are authenticated via OID. We're using Apex 4.

  Hi,
  Have a look at this Sample App for getting Auth Token from Instagram in windows phone app. 
  Also read the api documentation for more details from
  here.
  Pradeep AJ

• VLAN Best Practices

  We've just upgraded our wireless infrastructure and streamlined our SSIDs from five (5) to three (3) - Corporate, Guest and Voice. In regards to VLANs, should all Coporate devices (Notebooks, Tablets, Smartphones) be included in one (1) VLAN or should we create three (3) separate VLANs one per device type. What are the best practices? My concern with having one VLAN with all Corporate devices is the amount of devices in the same VLAN and the impact of having Tablets (iPads, Androids) and Smartphones on the same VLAN in terms of network traffic (broadcast, bonjour, etc...) Any comments or suggestion would be greatly appreciated.

  Thanks for the quick reply Stephen! This is somewhat how we have our environment setup. We have an 802.1x SSID and depending on your AD credentials and device type you're dynamically pushed to a VLAN. What I'm questioning are how many VLANS I should have. We are a Community College and have corporate or college own notebooks, tablets and smartphone and we also have student own notebooks, tablets and smartphones. Not sure if I should create 6 VLANs and then apply ACL base on the VLAN or is this overkill. Or have 3 VLANs one per device type, therefore corporate and student notebooks would be in the same VLAN and the corporate and student tablets would be in the same VLAN and finally corporate and student smartphones would be in the same VLAN and then use dACL to differentiate access. Or finally, create two VLANS, one for corporate devices and one for students devices and again use dACL to differentiate access. Not sure what are the pros and cons are for these different scenarios.
  Sent from Cisco Technical Support iPhone App

• Private data on a public cloud challenges and best practices

  So far most of our clients (online retailers and banks) have been reticent of placing any parts of theirs applications to a public cloud, although this could be a very cost effective manner to deal with temporary demand upsurge (end of month, holidays etc.)
  We could place middle tier on a cloud so that no information is persisted in the cloud, or so that only non-sensitive data is stored there.
  What are the best practices in this case? Are there any regulations that I should be aware? What are the biggest threats?

  The best solution is to use cryptography.
  You have the choice of public key cryptography: encrypt your data with a public key, put it "on ze cloud", then when you retrieve it, decrypt with your private key. Even better, if the data only transits through you, you can only have the public key
  and only your client has the private key.
  Or symmetric cryptography, in which case you need the key, which will help encrypt and decrypt.
  Symmetric cryptography algorithms are much faster, but if the scenario I mentioned above applies (ie, the client can have the private key), definitely go for it: you won't even be able to read the data without the client's consent.

• Voice VLANs - Best practices

  Hello --
  We're starting an IPT project that will involve multiple access VLANs for different organizational groups. That said, should we also create multiple voice VLANs per group/building or will one flat VLAN work for voice? The backbone is GigE, so we aren't too concerned about bandwidth.
  What are the pros and cons, and best practices that the community has seen?
  Please let me know.
  Thanks,
  OOU

  I have some documents explaining about understanding and configuring voice vlans. I believe these documents will be helpful for you.
  http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configuration_guide_chapter09186a00801ce02c.html
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde84.html
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf35.html

• Best Practice Question on Heartbeat Network

  After running 3.0.3 a few weeks in production, we are wondering if we set up our Heartbeat /Servers correctly.
  We have 2 servers in our Production Server pool. Our LAN, a 192.168.x.x network, has the Virtual IP of the Cluster (heartbeat), the 2 main IP addresses of the servers, and a NIC assigned to each guest. All of this has been configured on the same network. Over the weekend, I wanted to separate the Heartbeat onto a new network, but when trying to add to the pool I received:
  Cannot add server: ovsx.mydomain.com, to pool: mypool. Server Mgt IP address: 192.168.x.x, is not on same subnet as pool VIP: 192.168.y.y
  Currently, I only have one router that translate our WAN to our LAN of 192.168.x.x. I thought the heartbeat would strictly be internal and would not need to be routed anywhere and just set up as a separate VLAN and this is why I created 192.168.y.y. I know that the servers can have multiple IP addresses, and I have 3 networks added to my OVM servers. 192.168.x.x, 192.168.y.y and 192.168.z.z. y and z are not pingable from anything but the servers themselves or one of the guests that I have assigned that network to. I can not ping them directly from our office network, even through the VPN which only gives us access to 192.168.x.x.
  I guess I can change my Sever Mgt IP away from 192.168.x.x to 192.168.y.y, but can I do that without reinstalling the VM server? How have others structured there networks especially relating to the heartbeat?
  Is there any documentation/guides that would describe how to set up the networks properly relating to the heartbeat?
  Thanks for any help!!

  Hello user,
  In order to change your environment, what you could do is go to the Hardware tab -> Network. Within here you can create new networks and also change via the Edit this Network pencil icon what networks should manage what roles (i.e. Virtual Machine, Cluster Heartbeat, etc). In my past experience, I've had issues changing the cluster heartbeat once it has been set. If you have issues changing it, via the OVM Manager, one thing you could do is change it manually via the /etc/ocfs2/cluster.conf file. Also, if it successfully lets you change it via the OVM Manager, verify it within the cluster.conf to ensure it actually did your change. This is where that is being set. However, doing it manually can be tricky because OVM has a tendency to like to revert it's changes back to its original state say after a reboot. Of course I'm not even sure if they support you manually making that change. Ideally, when setting up an OVM environment, best practice would be to separate your networks as much as possible i.e. (Public network, private network, management network, clusterhb network, and live migration network if you do a lot of live migrating, otherwise you can probably place it with say the management network).
  Hope that helps,
  Roger

• Best practices of having a different external/internal domain

  In the midst of migrating from a joint Windows/Mac server environment to a completely Apple one. Previously, DNS was hosted on the Windows machine using the companyname.local internal domain. When we set up the Apple server, our Apple contact created a new internal domain, called companyname.ltd. (Supposedly there was some conflict in having a 10.5 server be part of a .local domain - either way it was no worries either way.) Companyname.net is our website.
  The goal now is to have the Leopard server run everything - DNS, Kerio mailserver, website, the works. In setting up the DNS on the Mac server this go around, we were advised to just use companyname.net as the internal domain name instead of .ltd or .local or something like that. I happen to like having a separate local domain just for clarity's sake - users know if they are internal/external, but supposedly the Kerio setup would respond much better to just the one companyname.net.
  So after all that - what's the best practice of what I should do? Is it ok to have companyname.net be the local domain, even when companyname.net is also the address to our external website? Or should the local domain be something different from that public URL? Or does it really not matter one way or the other? I've been running companyname.net as the local domain for a week or so now with pretty much no issues, I'd just hate to hit a point where something breaks long term because of an initial setup mixup.
  Thanks in advance for any advice you all can offer!

  Part of this is personal preference, but there are some technical elements to it, too.
  You may find that your decision is swayed by the number of mobile users in your network. If your internal machines are all stationary then it doesn't matter if they're configured for companyname.local (or any other internal-only domain), but if you're a mobile user (e.g. on a laptop that you take to/from work/home/clients/starbucks, etc.) then you'll find it a huge PITA to have to reconfigure things like your mail client to get mail from mail.companyname.local when you're in the office but mail.companyname.net when you're outside.
  For this reason we opted to use the same domain name internally as well as externally. Everyone can set their mail client (and other apps) to use one hostname and DNS controls where they go - e.g. if they're in the office or on VPN, the office DNS server hands out the internal address of the mail server, but if they're remote they get the public address.
  For the most part, users don't know the difference - most of them wouldn't know how to tell anyway - and using one domain name puts the onus on the network administrator to make sure it's correct which IMHO certainly raises the chance of it working correctly when compared to hoping/expecting/praying that all company employees understand your network and know which server name to use when.
  Now one of the downsides of this is that you need to maintain two copies of your companyname.net domain zone data - one for the internal view and one for external (but that's not much more effort than maintaining companyname.net and companyname.local) and make sure you edit the right one.
  It also means you cannot use Apple's Server Admin to manage your DNS on a single machine - Server Admin only understands one view (either internal or external, but not both at the same time). If you have two DNS servers (one for public use and one for internal-only use) then that's not so much of an issue.
  Of course, you can always drive DNS manually by editing the zone files directly.