[c-nsp] Sharing router uplinks?
Wayne Tucker
wayne at tuckerlabs.com
Thu Aug 2 11:18:54 EDT 2012
On Wed, Aug 1, 2012 at 1:53 PM, JP Senior <SeniorJ at bennettjones.com> wrote:
> Putting a web server (or any other) host device on the same subnet causes reachability issues to
> other subnets -- hacks/workarounds include ICMP redirects, static routing tables, and proxy arp on
> the subnet. A server won't know which 'router' to take to get to which subnet. This is an
> administrative disaster as you have to either permit ICMP redirects explicitly (Operating systems
> shouldn't/don't support this by default anymore), turn on evil proxy arp, have a full mesh IGP, or
> enable static routes on the hosts.
Things also get ugly if that web server is hijacked - with a little
ARP spoofing it can get access to transit traffic.
> As far as shared 'router' vlans or subnets, this is completely normal and common for
> distribution/core networks.
I've found that a lot of NMSs don't handle the shared segments well.
Point to point links are easy to plot and monitor - both because
they're 1:1 and because if your IGP does adjacencies you can monitor
for neighbors != 1.
:w
More information about the cisco-nsp
mailing list