[c-nsp] RES: Large networks

[Leonardo Gama Souza]

In this case I think you could configure Private VLANs, isolating each
customer in the same l3 network segment.


-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering
Enviada em: quarta-feira, 26 de agosto de 2009 07:02
Para: Steve Bertrand
Cc: Shaun R.; cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] Large networks

Hi,

On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote:
> > This company was constantly having problems with what i called
broadcast
> > attacks.  The network graphs would show traffic on all interfaces
spike
> > and normally the 100mbit uplink between the switches would saturate
and
> > the network would die.  From that experience i took my time to
design
> > and deploy my network to be as correct as possible. 
> 
> Out of curiosity, did your experience find that the issues were
related
> to actual broadcast problems?

Generally, putting each customer into a dedicated layer 3 network
segment
is a good idea - because half of the attacks that a hacked server
belonging
to "customer 1" might do to a server from "customer 2" (ARP spoofing, 
IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the
shared router, etc.) suddenly are no longer relevant at all.

... and *if* you need to ACL one customer, or just shut down their 
network segment (because they are busy attacking someone else), you
can be sure that it doesn't affect other customers ;-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de