Results 26 to 50 of 50
-
08-09-2009, 05:11 PM #26Master of the Truth
- Join Date
- Mar 2006
- Location
- Reston, VA
- Posts
- 3,131
This has got to be one of the stupidest things from your network tech. Each customer should get their own vlan. broadcat storms/multi cast is not fun in a network. The more you have in it the more latency you'll have in your network.
Why wouldn't you? someone binding someone elses ip and getting in the arp cache isn't a security risk?
Your engineer needs to go read a few more books.Yellow Fiber Networks
http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net
-
08-09-2009, 05:52 PM #27Web Hosting Master
- Join Date
- Oct 2001
- Posts
- 1,319
-
08-10-2009, 12:46 PM #28Newbie
- Join Date
- Jun 2006
- Location
- Boca Raton, FL
- Posts
- 21
A few things I noticed in the thread- when giving out /29's and /30's be careful to include the router address (basically subtract 3 addresses from any subnet to see what at maximum would be available to the client). So with a /30 only 1 address gets assigned to a client device; a /29 would see only 5 client-usable addresses.
As far as vlan'ing per client is concerned, it's been a good thing for us- allow me to expand. By vlan'ing a client server or vps, we are able to
- control L2 broadcast domains (limiting potential effects of a broadcast storm on a problematic NIC)
- gain additional security by not allowing one server or group of servers to sniff traffic off/destined-for another server or group of servers, or allow it to talk directly to another server.
- allow for the application of security filters to specific client vlans/ip-interfaces that have no effect on other clients. This is not only important in terms of crafting easier-to-parse acl's, but also inhibits taking an entire section of the network down when an acl is inappropriately configured- it will just affect that customer.
- not depend on filtering hardware mac addresses for security, as they can be spoofed, as well as needing an update if a nic (or entire server) is replaced, or if a server is moved. mac address security still pits the network against the server (things can be done within the server, even scripted/unattended, to thwart security.) But a vlan, in terms of security, carves out a sandbox for the server to which it is bound regardless of what it tries to do.
- gain additional scalability and flexibility within the network. Many of our clients have (happily) grown to multiple servers. All servers belonging to a single client (even if the count is 1) exist within their own LAN, even if they are physically in different parts of the datacenter.
A comment was raised as to what happens with the 4096 vlan limit is hit. That's actually pretty easy- just segregate the portions of your network to include different sections of 4096 "vlan domains", separated by an L3 routed hop. EXAMPLE- VLAN ID 2000 in rack2 for customer 3124 against core-router1 has nothing to do with VLAN ID 2000 in rack14 for customer 3126 against core-router2, unless you specifically map them together.
Is it extra work? Not too much more than mac address filtering. Is it worth it to us? Absolutely. I respect other network administrators's decisions within their own networks, but our decision to go with vlan separation-per-client has really paid off for us in terms of lack of headaches in multiple areas of concern within the network. Put simply- it's a very structured approach and it works.
-
08-10-2009, 06:07 PM #29THE Web Hosting Master
- Join Date
- Jan 2003
- Location
- Chicago, IL
- Posts
- 6,957
Karl Zimmerman - Founder & CEO of Steadfast
VMware Virtual Data Center Platform
karl @ steadfast.net - Sales/Support: 312-602-2689
Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation
-
08-10-2009, 06:26 PM #30Master of the Truth
- Join Date
- Mar 2006
- Location
- Reston, VA
- Posts
- 3,131
Yellow Fiber Networks
http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net
-
08-10-2009, 07:46 PM #31Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Cogent will allocate you a /24 if you plan on multi-homing, regardless of what you plan to use. There's a check box on the IP justification form, read carefully!
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
08-11-2009, 03:39 AM #32The least among you.
- Join Date
- Apr 2005
- Location
- Jacksonville, FL
- Posts
- 981
Most of us do these updates using databases and scripts.
You of all people would know the more PPS you push and more ACLS/filtering you apply puts hell on your equipment.
Now selling BigVPS's!
Jacksonville Colocation and dedicated servers by colo4jax
We are *not* a reseller. We own our servers, switches, routers and racks.
-
08-11-2009, 03:48 AM #33Newbie
- Join Date
- Aug 2009
- Posts
- 5
Really, named ACL's work just fine for inserting and deleting new rules and how are your filtering such that your ACL's get big and messy really fast?
-
08-11-2009, 07:31 AM #34Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
Good News! Just heard back from Verizon... Just under $500/mo for 10M on FE burstable. Seems ridiculous compared to Cogent which is under $100/mo haha, but its not as much as Level3 and Fibertech wanted. IMO It's worth it to have a second tier1 provider. They also said they can probably turn it around in two weeks, which gives me enough time to get the second 2821, and take care of all my ASN stuff with ARIN.
Hey can you guys post a couple examples of using the ACL's instead of VLAN's? For right now, my network is small enough to use VLANs, and I'm just curious to see other ways to do it.
OH and I was going to run IOS FW on the permiter routers...is it worth it? Or should I do as little as possible so I can run full BGP routes? Both routers will have 1GB of RAM.
Thanks!True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-11-2009, 07:37 AM #35Newbie
- Join Date
- Aug 2009
- Posts
- 5
@truenegative
Could you give an example of what you're trying to accomplish here? VLANs and BGP are not in the same "operating" category here and ACL's/VLANs do quite different things here.
-
08-11-2009, 07:59 AM #36Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
Sorry, two separate questions there. I'll be running BGP on my two 2821's for multihoming. Completely separate is the discussion about separating the customer servers, VPS', etc using either VLAN's or ACLs. Considering my server count is fairly low right now, I can easily accomplish it with VLAN's and subnetting. I just wanted to see an example of using ACL's to separate hosts instead of VLAN's.
True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-11-2009, 09:46 AM #37Master of the Truth
- Join Date
- Mar 2006
- Location
- Reston, VA
- Posts
- 3,131
Yellow Fiber Networks
http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net
-
08-13-2009, 08:19 AM #38Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
Update:
Level3 ended up coming back with better pricing than Verizon, so we're going with them as a second provider. Got approved for my ASN and paid already...so I'm just waiting for that to come. Once I get that, I can send in my BGP forms and Level3 can schedule the installationTrue Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-13-2009, 08:21 AM #39Web Hosting Master
- Join Date
- Oct 2001
- Posts
- 1,319
-
08-20-2009, 12:10 PM #40Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
Updates!
We are officially AS1636 and we have received a /23 Allocation from Cogent Everything is looking good, but I have a couple questions so I can get some things configured. If you guys can help, that'd be awesome!
As per the recommendation of a friend, I have picked up an ASA 5510 so that my network will be PCI compliant. Also that way I do not have to do any inspection on the perimeter routers, especially since they will have full routes.
Here is my current network diagram:
http://img33.imageshack.us/img33/8527/tnnetdiag.png
inet-rtr01 and inet-rtr02 are 2821's
inet-es01 is a 3550-12T
core-es01 is a 3750-24T
I need to set up BGP, but I do not want to become a transit AS, and I can't quite remember everything about prefix lists from back when I used to do it. I want to use the 3550-12T to redistribute a default route into EIGRP or OSPF so that can be pushed through the firewall to the core switch.
Any thoughts about the best way to configure this?
Thanks in advanceLast edited by truenegative; 08-20-2009 at 12:14 PM.
True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-20-2009, 02:16 PM #41Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 633
-
08-20-2009, 02:59 PM #42Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-21-2009, 07:11 PM #43Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-21-2009, 07:52 PM #44Web Hosting Master
- Join Date
- Jun 2001
- Location
- Denver, CO
- Posts
- 3,302
Google sample BGP configs? Get a book? Hire a consultant?
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
Current specials here. Check them out.
-
08-22-2009, 09:47 AM #45Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
As soon as you fill up a /24 worth of usage on the Cogent /23, apply for your own /22 initial allocation from ARIN.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
08-22-2009, 09:53 AM #46Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
You should swap the 3750 and 3550 in the diagram, either that or get a 3560 instead of a 3550. Huge difference in L3 performance between 3550 and 3560/3750.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
08-23-2009, 08:50 AM #47Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
Yeah I'm going dig up a few of my old BGP books. Conceptually I remember how to configure simple BGP, and I found some sample configs but I don't want to become a transit AS.
I have a little bit of time though, I'm probably 30 days out on the Level 3 install. I can turn up BGP now with Cogent.
Yeah for sure that's the plan!
Ah ok. I just texted my cisco guy, and I can get a great deal on another 3750 so I may do that, since I have not yet purchased the 3550-12T. Thanks for the advice man.True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-29-2009, 08:10 AM #48Newbie
- Join Date
- Aug 2005
- Location
- Rochester, NY
- Posts
- 27
More updates
Got BGP with full routes up and running with Cogent! Yay Level3 install is about 30 days out.
I also picked up another 3750-24-TS for outside of the firewall.
I've figured out the best way (I think) to set this up, so correct me if I'm wrong. I'm going to run iBGP between the two internet routers, and then redistribute a default route from each router into OSPF or EIGRP which will then talk through the firewall back to the core
Now I just need to remember how to configure the ASA to pass all traffic, and just do inspections.True Negative - Reliable Hosting Made Simple - AS1636
www.truenegative.com - new website coming soon
Shared / VPS / Dedicated / Colo
-
08-31-2009, 04:03 PM #49Web Hosting Master
- Join Date
- Oct 2001
- Posts
- 1,319
-
08-31-2009, 04:56 PM #50Master of the Truth
- Join Date
- Mar 2006
- Location
- Reston, VA
- Posts
- 3,131
Yellow Fiber Networks
http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net
Similar Threads
-
AT&T Routing Issue to PCCW Network
By stevewest15 in forum Providers and Network Outages and UpdatesReplies: 1Last Post: 12-03-2008, 01:33 PM -
Routing Advice needed
By JasonF in forum Hosting Security and TechnologyReplies: 3Last Post: 02-21-2007, 03:38 PM -
Colo Network Planning - Routing
By servand in forum Colocation, Data Centers, IP Space and NetworksReplies: 15Last Post: 09-22-2006, 01:51 PM -
Routing Setup Advice!
By salamagd in forum Colocation, Data Centers, IP Space and NetworksReplies: 8Last Post: 08-02-2006, 12:11 AM -
Network routing problem
By gegeor in forum Providers and Network Outages and UpdatesReplies: 0Last Post: 05-28-2005, 07:27 AM