[c-nsp] Large networks

Gert Doering gert at greenie.muc.de
Wed Aug 26 09:58:15 EDT 2009


Hi,

On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote:
> On Wed, 26 Aug 2009, Gert Doering wrote:
> 
> >So how do you prevent customer A from sending out packets with an IP 
> >address belonging to customer B?  (For whatever reason).
> 
> Antispoofing ACL on vlan interface? 

Won't help if you have customer A and customer B in the same VLAN.

> Or if you have an access layer, you 
> can do your L2.5 access lists there on ingress.

This would work - but that's LOTS of extra things to maintain, and keep
up to date, etc.

Which is why we are VERY happy with "every customer has a different L3
subnet" - and yes, this is wasting a few IPv4 addresses, but since our
customers usually have more than one machine, it's not "75%".  Even so,
the time of IPv4 is past, and we should stop worrying about it.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090826/6f751f2f/attachment.bin>


More information about the cisco-nsp mailing list