On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks@vt.edu wrote:
I suppose they *could* - the fun then starts when you get a routing flap and the other router tells you that you're not on one subnet because the subnet is unreachable and would you please remove the interface? And I'm willing to bet that there's a lack of MD5 at the important places in the dataflow... ;)
What's puzzling me is how anybody has a big enough net that subnets are being added fast enough that automating the process is needed, but they don't already have a way to centrally manage the routers so they can just push the needed 'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.
And even so, many of us have learned in very painful ways that running more than one IP subnet on the same physical network can get you into trouble very quickly. For a small SOHO network, fine, but then you usually don't use dynamic routing protocols anyway. Here's just a small sampling of what can go wrong: 1) A broadcast storm cripples all your subnets and slows some of your machines to a crawl. 2) A compromise on a machine leads to ARP mischief (such as theft of another subnet's default gateway IP), leading to TCP hijacking, password theft, or worse. 3) A DoS attack causes one machine to be completely knocked out (locks up, or reboots but fails to come back on after shutting itself off, or locks in an fsck in single user mode or some such). The DoS attack continues until the switch's table entry for that hardware address epires. Now the DoS attack pops out every port on every machine. And on, and on, and on. You want as few machines as possible on a single Ethernet LAN because Ethernet has no protection against various types of subterfuge. DS