[afnog] Bridged Access Network

Chris Wilson chris+afnog at aptivate.org
Wed Oct 9 09:25:18 UTC 2013


Hi Vincent,

On Wed, 9 Oct 2013, Vincent Mwamba wrote:

> We have Layer 3 devices at each customer premises with static IPs from a 
> pool assigned to a service e.g a /24 static pool. But we do get 
> customers who plug their links into a switch at their end.

That's probably not a good idea. It allows your customers to get as many 
public IPs as they want, and attack other customers by responding to ARP 
requests for their IPs.

I'd put a router that you control at each site, with the public IP. It 
doesn't need to be expensive, but you do need to control the layer 3 to 
stop their broadcasts leaking out. If they want to use their own router, 
they need to register its MAC address with you, and you can filter 
outbound traffic that's not from that host and not destined to the 
gateway's MAC address. And ARPs. Filter ARPs.

Cheers, Chris.
-- 
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Citylife House, Sturton Street, Cambridge, CB1 2QF, UK

Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.




More information about the afnog mailing list