this is really a form of: "A subnet should contain all things of a like purpose/use."
that way you don't have to compromise and say: "Well... tcp/443 is OK for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and permit to all ABC... wait, can you bounce off an ABC and still kill an XYZ? crap... pwned." segregation by function/purpose... best bet you can get. On Wed, May 6, 2015 at 3:59 PM, <char...@thefnf.org> wrote: > >> Consider setting up a separate zone or zones (via VLAN) for devices >> with embedded TCP/IP stacks. I have worked in several shops using >> switched power units from APC, SynAccess, and TrippLite, and find that >> the TCP/IP stacks in those units are a bit fragile when confronted >> with a lot of traffic, even when the traffic is not addressed to the >> embedded devices. > > > Yes! This. > > I used to have my PDUs/term serves/switches all on one VLAN. As growth > occurred, they get broken out to dedicated VLANs. With that, the amount of > false positives from Zenoss went way down (frequently port 80 would report > down, then clear). I still get some alerts, but far less frequently.
