>One of the factors, for my customer in particular, but for all networks in >general, is the manner in which the network is expected to be used. I can't >name the name, of course, but my customer is a high tech company. It is true >that many of the remote users will be management and support types, but many >are developers and practitioners of the technology this company produces. >There may be good reason for a team of software developers, for example, to >test their applications across this network. there may be good reason for an >engineer to set something up in his office lab, then work from home, free of >the interruptions that his mere presence in the office can attract. Against >this, the company must weigh the potential damage these folks can cause, >intended or not. But that's pretty much exactly what I do, although I get into the corporate network via IPsec tunneling across arbitrary ISPs. When we need a cooperative network, we route to it to keep it isolated. The argument your customer raises might apply to users in a specific geographical area, but would be irrelevant to mobile users. If the principle that it may be good for developers to have cross-network applications, in today's market, isn't there an advantage for being able to do so from arbitrary applications? For example, the main project I work with has participants in Virginia, Massachusetts, North Carolina, Canada, the UK, and Sweden. Hint: we aren't bridged. Mixing test networks and production networks is rarely a good idea. > >this continues to be a good thread for all the high level thought and good >ideas folks have presented. I brought the subject up here because I thought >it could serve as the starting point for the excellent conversation I >continue to see. > >Chuck > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Howard C. Berkowitz >Sent: Saturday, September 01, 2001 6:56 AM >To: [EMAIL PROTECTED] >Subject: Re: I have a customer who... food for thought - static routes >[7:18182] > > >While some of my colleagues in the cable industry differ, >unconstrained bridging, which lets user hosts reach one another with >no filtering, is a disaster waiting to happen. > >Consider the Cisco private VLAN feature to get some control. It may >or may not fit the topology. > >Also, I find the operators of such networks often forget Murphy's >Law. The network per se may be OK for routine data transfer, but >what about infrastructure hosts such as DNS/DHCP, and ARP servers >when present? I often hear a lot of hand-waving about how they are >fast machines, but I always pose one question, perhaps especially >relevant in California. > >"Your serving area has an electrical blackout. All the power comes >back on at once. All the hosts/routers will try to ARP and DHCP >simultaneously. Have you considered the queueing behavior this may >cause? Are you protected against broadcast storms?" > > >>Actually, when I mentioned bridging, I was only talking about the 827s. >>They should still have to route through the 7206 to reach each other. But, >>bridging is just a bad idea anyway. Instead, you could NAT the home side >of >>the 827 to the address of the 827s wan interface. Each link between the >>7206 and the 827s is a separate routed link, but the 7206 doesn't need to >>know about the networks behind the 827s. It only needs to know about the >>links that are directly connected. No bridging and no statics needed, and >>if the wan links are addressed properly, then they can all be summarized to >>the rest of the corporate network. Since security is a concern, then I >>would suggest an access list on the 827s to only allow established >>connections inbound. >> >>-Rob Fielding CCIE #7996 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18194&t=18194 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
