nanog mailing list archives
Re: Network Segmentation Approaches
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 6 May 2015 17:25:23 -0400
this is really a form of: "A subnet should contain all things of a like purpose/use." that way you don't have to compromise and say: "Well... tcp/443 is OK for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and permit to all ABC... wait, can you bounce off an ABC and still kill an XYZ? crap... pwned." segregation by function/purpose... best bet you can get. On Wed, May 6, 2015 at 3:59 PM, <charles () thefnf org> wrote:
Consider setting up a separate zone or zones (via VLAN) for devices with embedded TCP/IP stacks. I have worked in several shops using switched power units from APC, SynAccess, and TrippLite, and find that the TCP/IP stacks in those units are a bit fragile when confronted with a lot of traffic, even when the traffic is not addressed to the embedded devices.Yes! This. I used to have my PDUs/term serves/switches all on one VLAN. As growth occurred, they get broken out to dedicated VLANs. With that, the amount of false positives from Zenoss went way down (frequently port 80 would report down, then clear). I still get some alerts, but far less frequently.
Current thread:
- Network Segmentation Approaches nanog1 (May 04)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Gene LeDuc (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Jimmy Hess (May 05)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
- Re: Network Segmentation Approaches charles (May 06)
- Re: Network Segmentation Approaches Christopher Morrow (May 06)
- Re: Network Segmentation Approaches charles (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
- Re: Network Segmentation Approaches Joel Maslak (May 05)
- <Possible follow-ups>
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 06)
- Re: Network Segmentation Approaches Andrew Jones (May 06)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- [no subject] Jimmy Hess via NANOG (May 07)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)