Security – Disable Weak SSH CBC Mode Ciphers and RC4 on HP ProCurve Switch

If my memory serves, the older Procurve switches used to accept and forward any CoS/DSCP markings they received. You couldn't modify them unless you were on a 5400xl or better switch.

It looks like the 2520 and the 3800 allow you to modify whether or not you're using CoS or DiffServ TOS for classification. The top level command you want is qos type-of-service. The rest of the commands should be contained under that. If they aren't available, you may not be able to modify the QoS settings on that specific platform.

I would pick up a cheap Cisco router/ASA/pix device and set it up with port forwarding/DMZ on the ATT router so all packets going to your public IP that aren't receiving traffic for connections like your wife, go to the router/ASA/pix. Then I would configure it as a remote VPN termination point.

An ASA5505 will probably set you back $200. But you might be able to find an 1800/2800 series router to work with for less. If you get an ISR like those, make sure it has the security IOS or you have a way to get the security or better IOS on it.

As you most likely have a dynamic public address, I would use something like no-ip.com or another dynamic DNS service to have a domain that points to your public IP and updates when it changes. This might be configurable on the ATT router or you may need to run software on a computer in the network.

This would allow secure access to your private network. Once on the VPN, you could connect to your lab equipment via SSH/HTTP/Console depending on how you setup the internal side.

EDIT: If you're already doing port forwarding/DMZ to your company router, then you would need to ask them to allow you to have a VPN termination point on it for your private network.