From: cannonr (cannonr@xxxxxxxxx)
Date: Sat Aug 10 2002 - 09:53:19 GMT-3
Can you move the Unix servers to their own VLAN?
----- Original Message -----
From: "Hansang Bae" <hbae@nyc.rr.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, August 10, 2002 1:04 AM
Subject: Re: OT: Protecting default gateway ip address
> At 08:22 PM 8/9/2002 +0100, Colin Barber wrote:
> >Hi Guys,
> >Sorry for the OT. Today at work some bright spark got the ip address and
> >default gateway the wrong way round on a Unix box in our data centre and
> >took down the whole subnet; just 200 systems and 8000 users not able to
> >communicate!
> >
> >Has anybody got any ideas on the best way to protect the default gateway
ip
> >address from misconfiguration? The device is a 300 port 6509 with the
> >default gateway being the internal MSFCs. The only way I can thing of is
> >using native IOS on the cat and applying an input access list denying the
> >source ip address of the default gateway on all 300 Ethernet ports. I
know
> >the MSFCs can wire-speed route ip and standard and extended access lists
but
> >does the first packet still need to be processed switched? Whatever
solution
> >I use it cannot affect performance of the router, switch or the clients.
>
>
> Won't work. How do you prevent the Unix box from responding to arp frames
sent by the users?
>
> hsb
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:22 GMT-3