[c-nsp] Cisco noob -- design guidance request
Antonio Querubin
tony at lava.net
Tue Sep 4 18:55:30 EDT 2007
On Sun, 2 Sep 2007, C. Jon Larsen wrote:
> Where is the access list that is going to prevent cross talk between the
> subnets ? Otherwise rogueware on one tenants computer will attack the
> other tenants. Simply splitting each tenant onto its own vlan is ncie but
> its a far cry from secure if you tie the subnets into a router that is
> happy to pass traffic between the vlans !!
If these tenants are gonna be on the Internet than it also implies the
possibility that tenants may want to provide content/access to other
tenants. The situation is no different than if each tenant had their own
individual router. Ie. you don't want to block traffic between subnets
and vlans. What you do want to prevent are tenants attacking other
tenants or other sites on the Internet or receiving spoofed traffic from
outside their subnet/vlan. And the simplest way to prevent that is to
enable unicast rpf checking on all interfaces. You don't need an ACL to
do that but if you also want to block martian traffic you can still add an
ACL on your border interface. urpf will already block martian traffic
generated at your tenants edge so your ACL only needs to cover the martian
traffic.
Antonio Querubin
whois: AQ7-ARIN
More information about the cisco-nsp
mailing list