[c-nsp] RES: Large networks
Matthias Müller
cnsp at matthias-mueller.net
Wed Aug 26 13:26:51 EDT 2009
Hi,
Leonardo Gama Souza schrieb:
> In this case I think you could configure Private VLANs, isolating each
> customer in the same l3 network segment.
>
Private VLANs won't help you with ip-spoofing in the same subnet and
hsrp-attacks and not against arp attacks (but these can be prevented
using static arp-entries on the l3-device).
Matthias
> -----Mensagem original-----
> De: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering
> Enviada em: quarta-feira, 26 de agosto de 2009 07:02
> Para: Steve Bertrand
> Cc: Shaun R.; cisco-nsp at puck.nether.net
> Assunto: Re: [c-nsp] Large networks
>
> Hi,
>
> On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote:
>
>>> This company was constantly having problems with what i called
>>>
> broadcast
>
>>> attacks. The network graphs would show traffic on all interfaces
>>>
> spike
>
>>> and normally the 100mbit uplink between the switches would saturate
>>>
> and
>
>>> the network would die. From that experience i took my time to
>>>
> design
>
>>> and deploy my network to be as correct as possible.
>>>
>> Out of curiosity, did your experience find that the issues were
>>
> related
>
>> to actual broadcast problems?
>>
>
> Generally, putting each customer into a dedicated layer 3 network
> segment
> is a good idea - because half of the attacks that a hacked server
> belonging
> to "customer 1" might do to a server from "customer 2" (ARP spoofing,
> IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the
> shared router, etc.) suddenly are no longer relevant at all.
>
> ... and *if* you need to ACL one customer, or just shut down their
> network segment (because they are busy attacking someone else), you
> can be sure that it doesn't affect other customers ;-)
>
> gert
>
More information about the cisco-nsp
mailing list