[179745] in North American Network Operators' Group
Re: Network Segmentation Approaches
daemon@ATHENA.MIT.EDU (charles@thefnf.org)
Wed May 6 15:59:56 2015
X-Original-To: nanog@nanog.org
Date: Wed, 06 May 2015 14:59:53 -0500
From: charles@thefnf.org
To: nanog@nanog.org
In-Reply-To: <5548BD44.10509@satchell.net>
Errors-To: nanog-bounces@nanog.org
> Consider setting up a separate zone or zones (via VLAN) for devices
> with embedded TCP/IP stacks. I have worked in several shops using
> switched power units from APC, SynAccess, and TrippLite, and find that
> the TCP/IP stacks in those units are a bit fragile when confronted
> with a lot of traffic, even when the traffic is not addressed to the
> embedded devices.
Yes! This.
I used to have my PDUs/term serves/switches all on one VLAN. As growth
occurred, they get broken out to dedicated VLANs. With that, the amount
of false positives from Zenoss went way down (frequently port 80 would
report down, then clear). I still get some alerts, but far less
frequently.
