this is really a form of: "A subnet should contain all things of a like purpose/use." that way you don't have to compromise and say: "Well... tcp/443 is OK for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and permit to all ABC... wait, can you bounce off an ABC and still kill an XYZ? crap... pwned." segregation by function/purpose... best bet you can get. On Wed, May 6, 2015 at 3:59 PM, <charles@thefnf.org> wrote:
Consider setting up a separate zone or zones (via VLAN) for devices with embedded TCP/IP stacks. I have worked in several shops using switched power units from APC, SynAccess, and TrippLite, and find that the TCP/IP stacks in those units are a bit fragile when confronted with a lot of traffic, even when the traffic is not addressed to the embedded devices.
Yes! This.
I used to have my PDUs/term serves/switches all on one VLAN. As growth occurred, they get broken out to dedicated VLANs. With that, the amount of false positives from Zenoss went way down (frequently port 80 would report down, then clear). I still get some alerts, but far less frequently.