From: Colin Barber (Colin.Barber@xxxxxxxxxxxxxx)
Date: Sat Aug 10 2002 - 10:55:24 GMT-3
It's not really going to help. There is still the chance that a
mis-configuration could be made which would affect that vlan. It may not be
the unix team that cause the problem next time. There as AS/400, RS/6000,
Unix, NT, Netware, Citrix and terminal servers all within the Data Centre.
I could have a vlan for each host but that would be un-supportable plus we
don't want to have to change any hosts ip addresses.
Colin
-----Original Message-----
From: cannonr [mailto:cannonr@attbi.com]
Sent: 10 August 2002 13:53
To: Hansang Bae; ccielab@groupstudy.com
Subject: Re: OT: Protecting default gateway ip address
Can you move the Unix servers to their own VLAN?
----- Original Message -----
From: "Hansang Bae" <hbae@nyc.rr.com>
To: < >
Sent: Saturday, August 10, 2002 1:04 AM
Subject: Re: OT: Protecting default gateway ip address
> At 08:22 PM 8/9/2002 +0100, Colin Barber wrote:
> >Hi Guys,
> >Sorry for the OT. Today at work some bright spark got the ip address and
> >default gateway the wrong way round on a Unix box in our data centre and
> >took down the whole subnet; just 200 systems and 8000 users not able to
> >communicate!
> >
> >Has anybody got any ideas on the best way to protect the default gateway
ip
> >address from misconfiguration? The device is a 300 port 6509 with the
> >default gateway being the internal MSFCs. The only way I can thing of is
> >using native IOS on the cat and applying an input access list denying the
> >source ip address of the default gateway on all 300 Ethernet ports. I
know
> >the MSFCs can wire-speed route ip and standard and extended access lists
but
> >does the first packet still need to be processed switched? Whatever
solution
> >I use it cannot affect performance of the router, switch or the clients.
>
>
> Won't work. How do you prevent the Unix box from responding to arp frames
sent by the users?
>
> hsb
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:22 GMT-3