One of the factors, for my customer in particular, but for all networks in general, is the manner in which the network is expected to be used. I can't name the name, of course, but my customer is a high tech company. It is true that many of the remote users will be management and support types, but many are developers and practitioners of the technology this company produces. There may be good reason for a team of software developers, for example, to test their applications across this network. there may be good reason for an engineer to set something up in his office lab, then work from home, free of the interruptions that his mere presence in the office can attract. Against this, the company must weigh the potential damage these folks can cause, intended or not. this continues to be a good thread for all the high level thought and good ideas folks have presented. I brought the subject up here because I thought it could serve as the starting point for the excellent conversation I continue to see. Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Saturday, September 01, 2001 6:56 AM To: [EMAIL PROTECTED] Subject: Re: I have a customer who... food for thought - static routes [7:18182] While some of my colleagues in the cable industry differ, unconstrained bridging, which lets user hosts reach one another with no filtering, is a disaster waiting to happen. Consider the Cisco private VLAN feature to get some control. It may or may not fit the topology. Also, I find the operators of such networks often forget Murphy's Law. The network per se may be OK for routine data transfer, but what about infrastructure hosts such as DNS/DHCP, and ARP servers when present? I often hear a lot of hand-waving about how they are fast machines, but I always pose one question, perhaps especially relevant in California. "Your serving area has an electrical blackout. All the power comes back on at once. All the hosts/routers will try to ARP and DHCP simultaneously. Have you considered the queueing behavior this may cause? Are you protected against broadcast storms?" >Actually, when I mentioned bridging, I was only talking about the 827s. >They should still have to route through the 7206 to reach each other. But, >bridging is just a bad idea anyway. Instead, you could NAT the home side of >the 827 to the address of the 827s wan interface. Each link between the >7206 and the 827s is a separate routed link, but the 7206 doesn't need to >know about the networks behind the 827s. It only needs to know about the >links that are directly connected. No bridging and no statics needed, and >if the wan links are addressed properly, then they can all be summarized to >the rest of the corporate network. Since security is a concern, then I >would suggest an access list on the 827s to only allow established >connections inbound. > >-Rob Fielding CCIE #7996 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18183&t=18183 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
