[c-nsp] Sharing router uplinks?

Wayne Tucker wayne at tuckerlabs.com
Thu Aug 2 11:18:54 EDT 2012

On Wed, Aug 1, 2012 at 1:53 PM, JP Senior <SeniorJ at bennettjones.com> wrote:
> Putting a web server (or any other) host device on the same subnet causes reachability issues to
> other subnets -- hacks/workarounds include ICMP redirects, static routing tables, and proxy arp on
> the subnet.  A server won't know which 'router' to take to get to which subnet.  This is an
> administrative disaster as you have to either permit ICMP redirects explicitly (Operating systems
> shouldn't/don't support this by default anymore), turn on evil proxy arp, have a full mesh IGP, or
> enable static routes on the hosts.

Things also get ugly if that web server is hijacked - with a little
ARP spoofing it can get access to transit traffic.

> As far as shared 'router' vlans or subnets, this is completely normal and common for
> distribution/core networks.

I've found that a lot of NMSs don't handle the shared segments well.
Point to point links are easy to plot and monitor - both because
they're 1:1 and because if your IGP does adjacencies you can monitor
for neighbors != 1.


More information about the cisco-nsp mailing list