On 23/10/2013 17:03, petes-li...@thegoldenear.org wrote:<general description of a subnet with end-user systems and multiple routers on that subnet>
In general, I believe the sound design of a network has the following rules-of-thumb:
1. There should only be one router (or virtual router in HA environments) on a subnet used by end-user systems. 2. If a subnet has more than one router (or virtual router), then it is a transit subnet (i.e. a /30), and should only contain routers and no end-user systems. 3. If a subnet has more than two routers (or virtual routers), then you should really use a dynamic routing protocol (I would still avoid RIP, and use OSPF, or EIGRP (Cisco Proprietary).
OSPF has the feature of a designated router (DR) and backup-designated router (BDR) - which essentially virtually creates a router within a broadcast domain to ensure that the routes are calculated as per (2).
If you need to break these rules of thumb, then either:(a) Ensure that your routers and hosts understand and process ICMP Redirects, and live with the possible consequences of the security issues these create. (b) Enable a dynamic routing protocol on all your end-user hosts, and live with the possible consequences of the security issues these create.
Either way, not following the rules will create a performance issue, which you might be able to move around to other systems on the subnet, but still a performance issue.
-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list