[c-nsp] Large networks
Ivan Pepelnjak
ip at ioshints.info
Wed Aug 26 08:55:22 EDT 2009
> Generally, putting each customer into a dedicated layer 3
> network segment is a good idea - because half of the attacks
> that a hacked server belonging to "customer 1" might do to a
> server from "customer 2" (ARP spoofing, IP address spoofing
> [-> blaim goes to customer 2], HSRP attacks to the shared
> router, etc.) suddenly are no longer relevant at all.
The only disadvantage of this approach is that you waste up to 75% of the
address space (assuming you have one server per customer). If you want to do
some really weird things you could configure mismatched subnet masks on
servers and routers, use host routes to point toward the servers ... This
will reclaim almost all the address space, but result in somewhat more
complex addressing and routing.
Ivan
http://www.ioshints.info/about
http://blog.ioshints.info/
More information about the cisco-nsp
mailing list