While some of my colleagues in the cable industry differ, unconstrained bridging, which lets user hosts reach one another with no filtering, is a disaster waiting to happen. Consider the Cisco private VLAN feature to get some control. It may or may not fit the topology. Also, I find the operators of such networks often forget Murphy's Law. The network per se may be OK for routine data transfer, but what about infrastructure hosts such as DNS/DHCP, and ARP servers when present? I often hear a lot of hand-waving about how they are fast machines, but I always pose one question, perhaps especially relevant in California. "Your serving area has an electrical blackout. All the power comes back on at once. All the hosts/routers will try to ARP and DHCP simultaneously. Have you considered the queueing behavior this may cause? Are you protected against broadcast storms?" >Actually, when I mentioned bridging, I was only talking about the 827s. >They should still have to route through the 7206 to reach each other. But, >bridging is just a bad idea anyway. Instead, you could NAT the home side of >the 827 to the address of the 827s wan interface. Each link between the >7206 and the 827s is a separate routed link, but the 7206 doesn't need to >know about the networks behind the 827s. It only needs to know about the >links that are directly connected. No bridging and no statics needed, and >if the wan links are addressed properly, then they can all be summarized to >the rest of the corporate network. Since security is a concern, then I >would suggest an access list on the 827s to only allow established >connections inbound. > >-Rob Fielding CCIE #7996 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18182&t=18182 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
