[c-nsp] Large networks
Gert Doering
gert at greenie.muc.de
Wed Aug 26 09:58:15 EDT 2009
Hi,
On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote:
> On Wed, 26 Aug 2009, Gert Doering wrote:
>
> >So how do you prevent customer A from sending out packets with an IP
> >address belonging to customer B? (For whatever reason).
>
> Antispoofing ACL on vlan interface?
Won't help if you have customer A and customer B in the same VLAN.
> Or if you have an access layer, you
> can do your L2.5 access lists there on ingress.
This would work - but that's LOTS of extra things to maintain, and keep
up to date, etc.
Which is why we are VERY happy with "every customer has a different L3
subnet" - and yes, this is wasting a few IPv4 addresses, but since our
customers usually have more than one machine, it's not "75%". Even so,
the time of IPv4 is past, and we should stop worrying about it.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090826/6f751f2f/attachment.bin>
More information about the cisco-nsp
mailing list