[afnog] Bridged Access Network
akinokin at abu.edu.ng
akinokin at abu.edu.ng
Wed Oct 9 10:35:29 UTC 2013
Vincent, I prefer Chris's solution employ a tech. That will curtail the broadcast storm to each client site. If u 've not gotten sufficient public ip from afrinic u can make do with a /30 from your LAN ips at each of ur site.
Kind Regards
Akin
Sent from my BlackBerry wireless device from MTN
-----Original Message-----
From: Chris Wilson <chris+afnog at aptivate.org>
Sender: afnog-bounces at afnog.orgDate: Wed, 9 Oct 2013 10:25:18
To: Vincent Mwamba<davince01 at gmail.com>
Cc: afnog at afnog.org<afnog at afnog.org>
Subject: Re: [afnog] Bridged Access Network
Hi Vincent,
On Wed, 9 Oct 2013, Vincent Mwamba wrote:
> We have Layer 3 devices at each customer premises with static IPs from a
> pool assigned to a service e.g a /24 static pool. But we do get
> customers who plug their links into a switch at their end.
That's probably not a good idea. It allows your customers to get as many
public IPs as they want, and attack other customers by responding to ARP
requests for their IPs.
I'd put a router that you control at each site, with the public IP. It
doesn't need to be expensive, but you do need to control the layer 3 to
stop their broadcasts leaking out. If they want to use their own router,
they need to register its MAC address with you, and you can filter
outbound traffic that's not from that host and not destined to the
gateway's MAC address. And ARPs. Filter ARPs.
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Citylife House, Sturton Street, Cambridge, CB1 2QF, UK
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog
More information about the afnog
mailing list