[c-nsp] Cisco noob -- design guidance request

[C. Jon Larsen]

>> Where is the access list that is going to prevent cross talk between the
>> subnets ?  Otherwise rogueware on one tenants computer will attack the
>> other tenants. Simply splitting each tenant onto its own vlan is ncie but
>> its a far cry from secure if you tie the subnets into a router that is
>> happy to pass traffic between the vlans !!
>
> If these tenants are gonna be on the Internet than it also implies the 
> possibility that tenants may want to provide content/access to other tenants. 
> The situation is no different than if each tenant had their own individual 
> router.  Ie. you don't want to block traffic between subnets and vlans.  What 
> you do want to prevent are tenants attacking other tenants or other sites on 
> the Internet or receiving spoofed traffic from outside their subnet/vlan. 
> And the simplest way to prevent that is to enable unicast rpf checking on all 
> interfaces.  You don't need an ACL to do that but if you also want to block 
> martian traffic you can still add an ACL on your border interface.  urpf will 
> already block martian traffic generated at your tenants edge so your ACL only 
> needs to cover the martian traffic.

I agree with all of this. But the original post involved an access 
scenario where the NAT would be on a server external to the router, which 
means the private networks would have access to each other. Thats not 
good.