Re: Network Segmentation Approaches

[Stephen Satchell <list () satchell net>]

On 05/04/2015 07:55 PM, nanog1 () roadrunner com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks.  Corporate/business users, dependent services, etc. from
> critical data and/or processes with remote locations thrown in the mix
> which could be mini-versions of your primary network.

Add "management zone" or "infrastructure zone":

Consider setting up a separate zone or zones (via VLAN) for devices with 
embedded TCP/IP stacks.  I have worked in several shops using switched 
power units from APC, SynAccess, and TrippLite, and find that the TCP/IP 
stacks in those units are a bit fragile when confronted with a lot of 
traffic, even when the traffic is not addressed to the embedded devices.

Separately, an ISP discovered that a consumer-grade NAS has the same 
problem.

These should be on a separate subnet anyway, with unfettered access from 
the outside disallowed at the edge.  To access the infrastructure 
equipment, you would use VPN to bypass your edge router access lists. 
If you have a lot of inside equipment not under your direct control, 
consider locking them out of the infrastructure subnet, too.

Needless to day, watch the load you direct at these embedded devices. 
My current day job installed Solar Winds to monitor everything.  The 
probes from the software knocked out the SNMP access to all too many of 
the PDU devices on the network.