Hi, On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote: > On Wed, 26 Aug 2009, Gert Doering wrote: > > >So how do you prevent customer A from sending out packets with an IP > >address belonging to customer B? (For whatever reason). > > Antispoofing ACL on vlan interface?
Won't help if you have customer A and customer B in the same VLAN. > Or if you have an access layer, you > can do your L2.5 access lists there on ingress. This would work - but that's LOTS of extra things to maintain, and keep up to date, etc. Which is why we are VERY happy with "every customer has a different L3 subnet" - and yes, this is wasting a few IPv4 addresses, but since our customers usually have more than one machine, it's not "75%". Even so, the time of IPv4 is past, and we should stop worrying about it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp1LUDRpwlbm.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/