[c-nsp] Cisco noob -- design guidance request

Antonio Querubin tony at lava.net
Tue Sep 4 18:55:30 EDT 2007

On Sun, 2 Sep 2007, C. Jon Larsen wrote:

> Where is the access list that is going to prevent cross talk between the
> subnets ?  Otherwise rogueware on one tenants computer will attack the
> other tenants. Simply splitting each tenant onto its own vlan is ncie but
> its a far cry from secure if you tie the subnets into a router that is
> happy to pass traffic between the vlans !!

If these tenants are gonna be on the Internet than it also implies the 
possibility that tenants may want to provide content/access to other 
tenants.  The situation is no different than if each tenant had their own 
individual router.  Ie. you don't want to block traffic between subnets 
and vlans.  What you do want to prevent are tenants attacking other 
tenants or other sites on the Internet or receiving spoofed traffic from 
outside their subnet/vlan.  And the simplest way to prevent that is to 
enable unicast rpf checking on all interfaces.  You don't need an ACL to 
do that but if you also want to block martian traffic you can still add an 
ACL on your border interface.  urpf will already block martian traffic 
generated at your tenants edge so your ACL only needs to cover the martian 

Antonio Querubin
whois:  AQ7-ARIN

More information about the cisco-nsp mailing list