Page 2 of 2 FirstFirst 12
Results 26 to 50 of 50
  1. #26
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,131
    Quote Originally Posted by ZanyHost View Post
    Well every company I agree has its own operating procedure. Currently I work in a large Data Centre in the UK as a network technician and I can tell you that's not how we operate and would never even consider it.

    All dedicated servers are on a shared network, private vlan's are generally only given upon client request.

    Also he already said he is concerned about IP usage therefore a private vlan per customer really doesn't sound like the most wise option in my opinion.
    This has got to be one of the stupidest things from your network tech. Each customer should get their own vlan. broadcat storms/multi cast is not fun in a network. The more you have in it the more latency you'll have in your network.

    Why wouldn't you? someone binding someone elses ip and getting in the arp cache isn't a security risk?

    Your engineer needs to go read a few more books.
    Yellow Fiber Networks
    http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
    Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net

  2. #27
    Join Date
    Oct 2001
    Posts
    1,319
    Quote Originally Posted by truenegative View Post
    Quick question... how are the VPS providers giving their smallest packages only 1 ip address? Seems more logical to assign 2 ip's to the smallest group, no? (ie, give them a /30)
    The host node gets it's own subnet allocation and then the virtualization software is capable of assigning single ips to the vps and ensuring that one vps can't steal an ip from another vps on the same node
    Avi B

  3. #28
    Join Date
    Jun 2006
    Location
    Boca Raton, FL
    Posts
    21
    A few things I noticed in the thread- when giving out /29's and /30's be careful to include the router address (basically subtract 3 addresses from any subnet to see what at maximum would be available to the client). So with a /30 only 1 address gets assigned to a client device; a /29 would see only 5 client-usable addresses.

    As far as vlan'ing per client is concerned, it's been a good thing for us- allow me to expand. By vlan'ing a client server or vps, we are able to
    • control L2 broadcast domains (limiting potential effects of a broadcast storm on a problematic NIC)
    • gain additional security by not allowing one server or group of servers to sniff traffic off/destined-for another server or group of servers, or allow it to talk directly to another server.
    • allow for the application of security filters to specific client vlans/ip-interfaces that have no effect on other clients. This is not only important in terms of crafting easier-to-parse acl's, but also inhibits taking an entire section of the network down when an acl is inappropriately configured- it will just affect that customer.
    • not depend on filtering hardware mac addresses for security, as they can be spoofed, as well as needing an update if a nic (or entire server) is replaced, or if a server is moved. mac address security still pits the network against the server (things can be done within the server, even scripted/unattended, to thwart security.) But a vlan, in terms of security, carves out a sandbox for the server to which it is bound regardless of what it tries to do.
    • gain additional scalability and flexibility within the network. Many of our clients have (happily) grown to multiple servers. All servers belonging to a single client (even if the count is 1) exist within their own LAN, even if they are physically in different parts of the datacenter.


    A comment was raised as to what happens with the 4096 vlan limit is hit. That's actually pretty easy- just segregate the portions of your network to include different sections of 4096 "vlan domains", separated by an L3 routed hop. EXAMPLE- VLAN ID 2000 in rack2 for customer 3124 against core-router1 has nothing to do with VLAN ID 2000 in rack14 for customer 3126 against core-router2, unless you specifically map them together.

    Is it extra work? Not too much more than mac address filtering. Is it worth it to us? Absolutely. I respect other network administrators's decisions within their own networks, but our decision to go with vlan separation-per-client has really paid off for us in terms of lack of headaches in multiple areas of concern within the network. Put simply- it's a very structured approach and it works.
    Dan Farrell
    Applied Innovations
    Premium E-commerce hosting

  4. #29
    Join Date
    Jan 2003
    Location
    Chicago, IL
    Posts
    6,957
    Quote Originally Posted by Spudstr View Post
    This has got to be one of the stupidest things from your network tech. Each customer should get their own vlan. broadcat storms/multi cast is not fun in a network. The more you have in it the more latency you'll have in your network.

    Why wouldn't you? someone binding someone elses ip and getting in the arp cache isn't a security risk?

    Your engineer needs to go read a few more books.
    You don't need separate VLANs to get around those issues, as we've already discussed...
    Karl Zimmerman - Founder & CEO of Steadfast
    VMware Virtual Data Center Platform

    karl @ steadfast.net - Sales/Support: 312-602-2689
    Cloud Hosting, Managed Dedicated Servers, Chicago Colocation, and New Jersey Colocation

  5. #30
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,131
    Quote Originally Posted by KarlZimmer View Post
    You don't need separate VLANs to get around those issues, as we've already discussed...
    no but who wants to constantly go and update ACLS? that gets big and messy real fast.

    You of all people would know the more PPS you push and more ACLS/filtering you apply puts hell on your equipment.
    Yellow Fiber Networks
    http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
    Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net

  6. #31
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Cogent will allocate you a /24 if you plan on multi-homing, regardless of what you plan to use. There's a check box on the IP justification form, read carefully!
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  7. #32
    Join Date
    Apr 2005
    Location
    Jacksonville, FL
    Posts
    981
    Quote Originally Posted by Spudstr View Post
    no but who wants to constantly go and update ACLS? that gets big and messy real fast.
    Most of us do these updates using databases and scripts.

    You of all people would know the more PPS you push and more ACLS/filtering you apply puts hell on your equipment.
    Those Layer 2 ACLs run at line-rate with no "hell on your equipment" due to a new advancement that you might've heard of called hardware-based fowarding.

    Now selling BigVPS's!
    Jacksonville Colocation and dedicated servers by colo4jax
    We are *not* a reseller. We own our servers, switches, routers and racks.

  8. Really, named ACL's work just fine for inserting and deleting new rules and how are your filtering such that your ACL's get big and messy really fast?

  9. #34
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Good News! Just heard back from Verizon... Just under $500/mo for 10M on FE burstable. Seems ridiculous compared to Cogent which is under $100/mo haha, but its not as much as Level3 and Fibertech wanted. IMO It's worth it to have a second tier1 provider. They also said they can probably turn it around in two weeks, which gives me enough time to get the second 2821, and take care of all my ASN stuff with ARIN.

    Hey can you guys post a couple examples of using the ACL's instead of VLAN's? For right now, my network is small enough to use VLANs, and I'm just curious to see other ways to do it.

    OH and I was going to run IOS FW on the permiter routers...is it worth it? Or should I do as little as possible so I can run full BGP routes? Both routers will have 1GB of RAM.

    Thanks!
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  10. @truenegative

    Could you give an example of what you're trying to accomplish here? VLANs and BGP are not in the same "operating" category here and ACL's/VLANs do quite different things here.

  11. #36
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Quote Originally Posted by mark-edgewire View Post
    @truenegative

    Could you give an example of what you're trying to accomplish here? VLANs and BGP are not in the same "operating" category here and ACL's/VLANs do quite different things here.
    Sorry, two separate questions there. I'll be running BGP on my two 2821's for multihoming. Completely separate is the discussion about separating the customer servers, VPS', etc using either VLAN's or ACLs. Considering my server count is fairly low right now, I can easily accomplish it with VLAN's and subnetting. I just wanted to see an example of using ACL's to separate hosts instead of VLAN's.
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  12. #37
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,131
    Quote Originally Posted by tical View Post
    Most of us do these updates using databases and scripts.



    Those Layer 2 ACLs run at line-rate with no "hell on your equipment" due to a new advancement that you might've heard of called hardware-based fowarding.
    we run 720-3bxls and we would never still run acls on busy vlans.
    Yellow Fiber Networks
    http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
    Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net

  13. #38
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Update:

    Level3 ended up coming back with better pricing than Verizon, so we're going with them as a second provider. Got approved for my ASN and paid already...so I'm just waiting for that to come. Once I get that, I can send in my BGP forms and Level3 can schedule the installation
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  14. #39
    Join Date
    Oct 2001
    Posts
    1,319
    Quote Originally Posted by truenegative View Post
    Update:

    Level3 ended up coming back with better pricing than Verizon, so we're going with them as a second provider. Got approved for my ASN and paid already...so I'm just waiting for that to come. Once I get that, I can send in my BGP forms and Level3 can schedule the installation
    Congrats! ARIN is usually very fast with getting AS #s - you should have it within 24/48 hours of paying.

    Best of luck!
    Avi B

  15. #40
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Updates!

    We are officially AS1636 and we have received a /23 Allocation from Cogent Everything is looking good, but I have a couple questions so I can get some things configured. If you guys can help, that'd be awesome!

    As per the recommendation of a friend, I have picked up an ASA 5510 so that my network will be PCI compliant. Also that way I do not have to do any inspection on the perimeter routers, especially since they will have full routes.

    Here is my current network diagram:

    http://img33.imageshack.us/img33/8527/tnnetdiag.png

    inet-rtr01 and inet-rtr02 are 2821's
    inet-es01 is a 3550-12T
    core-es01 is a 3750-24T

    I need to set up BGP, but I do not want to become a transit AS, and I can't quite remember everything about prefix lists from back when I used to do it. I want to use the 3550-12T to redistribute a default route into EIGRP or OSPF so that can be pushed through the firewall to the core switch.

    Any thoughts about the best way to configure this?

    Thanks in advance
    Last edited by truenegative; 08-20-2009 at 12:14 PM.
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  16. #41
    Join Date
    Feb 2004
    Posts
    633
    Quote Originally Posted by truenegative View Post
    As per the recommendation of a friend, I have picked up an ASA 5510 so that my network will be PCI compliant.
    Simply installing a firewall won't make you PCI compliant; if you're going to market your services as being "PCI Compliant", there is quite a bit more to do that just inserting a firewall into your network.

  17. #42
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Quote Originally Posted by lockbull View Post
    Simply installing a firewall won't make you PCI compliant; if you're going to market your services as being "PCI Compliant", there is quite a bit more to do that just inserting a firewall into your network.
    Oh I know, but regardless it's better to offload the firewall from the bgp routers.
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  18. #43
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Quote Originally Posted by truenegative View Post
    Updates!

    We are officially AS1636 and we have received a /23 Allocation from Cogent Everything is looking good, but I have a couple questions so I can get some things configured. If you guys can help, that'd be awesome!

    As per the recommendation of a friend, I have picked up an ASA 5510 so that my network will be PCI compliant. Also that way I do not have to do any inspection on the perimeter routers, especially since they will have full routes.

    Here is my current network diagram:

    http://img33.imageshack.us/img33/8527/tnnetdiag.png

    inet-rtr01 and inet-rtr02 are 2821's
    inet-es01 is a 3550-12T
    core-es01 is a 3750-24T

    I need to set up BGP, but I do not want to become a transit AS, and I can't quite remember everything about prefix lists from back when I used to do it. I want to use the 3550-12T to redistribute a default route into EIGRP or OSPF so that can be pushed through the firewall to the core switch.

    Any thoughts about the best way to configure this?

    Thanks in advance
    Anyone? Need a little bit of BGP help here
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  19. #44
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,302
    Google sample BGP configs? Get a book? Hire a consultant?
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  20. #45
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    As soon as you fill up a /24 worth of usage on the Cogent /23, apply for your own /22 initial allocation from ARIN.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  21. #46
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    You should swap the 3750 and 3550 in the diagram, either that or get a 3560 instead of a 3550. Huge difference in L3 performance between 3550 and 3560/3750.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  22. #47
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    Quote Originally Posted by Jay Suds View Post
    Google sample BGP configs? Get a book? Hire a consultant?
    Yeah I'm going dig up a few of my old BGP books. Conceptually I remember how to configure simple BGP, and I found some sample configs but I don't want to become a transit AS.

    I have a little bit of time though, I'm probably 30 days out on the Level 3 install. I can turn up BGP now with Cogent.

    Quote Originally Posted by FastServ View Post
    As soon as you fill up a /24 worth of usage on the Cogent /23, apply for your own /22 initial allocation from ARIN.
    Yeah for sure that's the plan!

    Quote Originally Posted by FastServ View Post
    You should swap the 3750 and 3550 in the diagram, either that or get a 3560 instead of a 3550. Huge difference in L3 performance between 3550 and 3560/3750.
    Ah ok. I just texted my cisco guy, and I can get a great deal on another 3750 so I may do that, since I have not yet purchased the 3550-12T. Thanks for the advice man.
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  23. #48
    Join Date
    Aug 2005
    Location
    Rochester, NY
    Posts
    27
    More updates

    Got BGP with full routes up and running with Cogent! Yay Level3 install is about 30 days out.

    I also picked up another 3750-24-TS for outside of the firewall.

    I've figured out the best way (I think) to set this up, so correct me if I'm wrong. I'm going to run iBGP between the two internet routers, and then redistribute a default route from each router into OSPF or EIGRP which will then talk through the firewall back to the core

    Now I just need to remember how to configure the ASA to pass all traffic, and just do inspections.
    True Negative - Reliable Hosting Made Simple - AS1636
    www.truenegative.com - new website coming soon
    Shared / VPS / Dedicated / Colo

  24. #49
    Join Date
    Oct 2001
    Posts
    1,319
    Quote Originally Posted by melo123 View Post
    just buy an internap port and you wouldnt have to worry about any of this..
    I'm not sure if you are trying to (a) push internap or (b) increase your post count, but this is definitely not helpful or relevant to the OPs intentions.
    Avi B

  25. #50
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,131
    Quote Originally Posted by MaB View Post
    I'm not sure if you are trying to (a) push internap or (b) increase your post count, but this is definitely not helpful or relevant to the OPs intentions.
    Considering he has 4 posts and they are all about internap, i'm voting for a internap rep.
    Yellow Fiber Networks
    http://www.yellowfiber.net : Managed Solutions - Colocation - Network Services IPv4/IPv6
    Ashburn/Denver/NYC/Dallas/Chicago Markets Served zak@yellowfiber.net

Page 2 of 2 FirstFirst 12

Similar Threads

  1. AT&T Routing Issue to PCCW Network
    By stevewest15 in forum Providers and Network Outages and Updates
    Replies: 1
    Last Post: 12-03-2008, 01:33 PM
  2. Routing Advice needed
    By JasonF in forum Hosting Security and Technology
    Replies: 3
    Last Post: 02-21-2007, 03:38 PM
  3. Colo Network Planning - Routing
    By servand in forum Colocation, Data Centers, IP Space and Networks
    Replies: 15
    Last Post: 09-22-2006, 01:51 PM
  4. Routing Setup Advice!
    By salamagd in forum Colocation, Data Centers, IP Space and Networks
    Replies: 8
    Last Post: 08-02-2006, 12:11 AM
  5. Network routing problem
    By gegeor in forum Providers and Network Outages and Updates
    Replies: 0
    Last Post: 05-28-2005, 07:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •