customers and web servers and level one naps

Second: allowing such a customer, or an NSP, to attach web services
directly to the FDDI ring at the NAP.

PAIX is doing this. As far as I know the other major interchange provider
are not. I am wondering why.

No, Gordon, PAIX IS NOT DOING THIS. I told you quite explicitly that
the only hosts connected to the PAIX layer 2 network (GIGAswitch/FDDI,
not FDDI ring) are ISP routers, just like all the other IX networks.

your tape of our conversation if this remains unclear; I said that
PAIX provides co-location space in order to encourage ISPs to place

- -----
Stephen Stuart
Network Systems Laboratory
Digital Equipment Corporation

Easy does it Stephen..... sorry I misunderstood you. I have not yet begun
to work on the tape. So let me reorient my question.

You encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND

I see now the point you are making and it is a critical one, but please
have mercy when i make a mistake.

Having said this, the web servers are still sited within PAIX and
topologically a lot closer to the exchange switching fabric than they have
been before. This presumably offers some advantages for the preformance
of those machines. The only thing i am trying to ascertain is to whether
this has been tried at other exchanges or not and why. As far as I am
aware it has not.

Bill Manning asked whether PAIX was a major exchange.

No of course it is not. But bill is your response meant to imply that at
a major exchange, there is simply going to be too much traffic to add the
web stuff? Since the server is BEHIND the customer router the web
traffic would hit the switch as part of the application layer traffic
brought there by the customer. therefor should it really make any
difference to have the web traffic avoid the extra hops of
traversing the local loop?

what am I missing?

*sigh* OK, so PA stands for Palo Alto while I assumed it stood for

Anyway, from the point of view of network engineering it makes a lot of
sense for the customer machines to be kept off the central exchange media.
But from every other point of view, the fact that there is a router
between the customer equipment and the layer 2 exchange media is
irrelevant as it has no negative impact on anything.

Did I misinterpret Gordon's question as being a higher level question
about which XP's allow customer servers to have high-speed access to the
XP? Said high-speed access could just as easily be a Gigaswitch/FDDI
behind the ISP's router.

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049 - E-mail:


Have you had much experience, having the servers connect directly on to a
level-2 device like a FDDI-to Ethernet (e.g. catalyst) connector ? and it
security implications ?


Don't you have people at Sprint who could answer this question? :wink:

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049 - E-mail:

I know we do, Michael. And I have "their" answer. But they may not have
the same experiences you did. I know they did not have the same
experiences as some folks running PAIX. So if u have the time and
inclination to speak , I do have the interest, to listen to you. :wink:


It's not a matter of experience. It's a matter of what a level-2 device is
and how it normally works. There is no security at level 2.

Therefore, you should only connect trusted pieces of equipment to a
level-2 media unless it is being used as a point-to-point media. Lets use
Ethernet as an example. If you connect a customer web server to an
Ethernet then they can sniff any traffic that goes by and possibly do
nasty things like spoofing. Even if they would never do such a thing they
may be hacked by somebody who would do such a thing. So it is not a good
idea to share a level 2 media in this way.

However you can use level 2 media to create point-to-point links. One way
is to use a reversed patch cable between two 10baseT interfaces. Another
more common way is to use a switch (also works with FDDI and ATM). Of
course, the normal reason for using such switches is to get greater
bandwidth capabilities. I wouldn't rely on them as the sole means of
isolating a customer's web server.

I still don't understand why you are asking me specifically about this
stuff. I certainly don't have any direct experience building exchange
points. Normally on a mailing list you would direct your question to all
the list members in the hopes that you will get several replies from
people who have good information to share.

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049 - E-mail:

Yes there is rudimentary security at L2. It's called MAC-based filtering,
which is a feature of DEC's GIGAswitch. I believe that SprintLink uses the
capability in a form to logically separate backbone router traffic from
access router traffic when both routers are homed to the same GIGAswitch.
With filtering, you can establish virtual workgroups where only certain
devices can communicate with other devices in the same group, or with
specific devices in other groups.



   The GIGAswitches support filtering based on several parameters (e.g.
MAC source/destination address, switch ports, etc.). We currently employ
filtering based on ports (vs. MAC addresses) to logically partition the
GIGAswitches. I think this is prudent since the MAC addresses will change
if (er, when :slight_smile: )we ever have to swap out failed equipment.