[c-nsp] Large networks
Gert Doering
gert at greenie.muc.de
Wed Aug 26 06:02:03 EDT 2009
Hi,
On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote:
> > This company was constantly having problems with what i called broadcast
> > attacks. The network graphs would show traffic on all interfaces spike
> > and normally the 100mbit uplink between the switches would saturate and
> > the network would die. From that experience i took my time to design
> > and deploy my network to be as correct as possible.
>
> Out of curiosity, did your experience find that the issues were related
> to actual broadcast problems?
Generally, putting each customer into a dedicated layer 3 network segment
is a good idea - because half of the attacks that a hacked server belonging
to "customer 1" might do to a server from "customer 2" (ARP spoofing,
IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the
shared router, etc.) suddenly are no longer relevant at all.
... and *if* you need to ACL one customer, or just shut down their
network segment (because they are busy attacking someone else), you
can be sure that it doesn't affect other customers ;-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090826/1c53d3b8/attachment-0001.bin>
More information about the cisco-nsp
mailing list