One host per subnet concept

Unanswered Question
Mar 15th, 2009


I would like to the limit the damage a virus can do in a network. I was told that having one host per subnet with ACLs can do the trick. Is that the best way to limit the exposure of an attack? Because, if I were to have hundreds of users and machines in the network, wouldn't that be not feasible to deploy? I heard that some major corporations are already doing that. Is it really true?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ohassairi Sun, 03/15/2009 - 23:24

it is possible to do it. but i think this a very heavy solution and it will be difficult to manage it.

i think the best way to protect your PC is (in addition to using VLANs and ACL) installing this all in one softwares (antivirus/firewall/IPS) in your computers and you can manage them from a central console by defining different policies and rules for each group/vlan.

keeping your software updated and monitoing logs are very important

alanchia2000 Mon, 03/16/2009 - 00:05

I do agree totally with what you have said. In fact, prior to this post, I have brought out this argument and my points doesn't seem strong enough under the scope of security. So let's just say I am forced to go with this solution until someone can propose a stronger argument to convince my bosses.

Jon Marshall Mon, 03/16/2009 - 03:20

Having one subnet per host is to be honest a rather dumb idea and i know this is not your idea. Sometimes people in security come up with these great ideas with little understanding of how this impacts on the underlying network.

If you have a L2 access-layer to a layer 3 distro/core this is going to create such a management nightmare you will be spending most of your time trying to keep track of which user is in which vlan, why one user can access a certain app but another can't etc...

It is in my opinion total overkill. There may well be some machines that need extra protection and putting them in their own vlan can be a sensible things to do but i have never worked in an environment where all machines are equal. What is the cost of losing some machines to a virus compared to the management overhead that will be introduced.

By all means segregate machines into vlans based on their importance to the business and then secure accordingly ie. firewalls/IPS (both network and end host), ACL's, 802.1x, Network Admission Control (NAC) etc.. These are sensible precautions to take.

An additional argument could just be bandwidth use. If very device is in it's own subnet and you use L2 from the access-layer for a device to communicate with any other device the traffic would need to be routed to the distro/core layer and then routed back to the other client. This is horribly inefficient as you lose all the benefits of the switch fabric and are now limited to speed of the uplinks to the distro/core.

It's difficult to know how network oriented your security people are. Perhaps if you explained that what they are proposing is like having to maintain a different virus client on each and every host they may understand. That many subnets with that many acl's and there will be mistakes.


Leo Laohoo Mon, 03/16/2009 - 14:50

Hi Jon,

Nicely put. Unfortunately, whatever happens, it's always a "network fault": I can't turn on my computer. It's a network fault. The toilet lights are out. It's a network fault. The vending machine is broken. It's a network fault. There's a computer virus on the loose. Rightie-o daddy-o. It's a network fault.

A virus on the loose in a network can easily be mitigated if proper anti-virus software is mandatory in an OEM "image". But this software is useless if someone disables regular update of the anti-virus definition files.

I worked in an organization in 2007 when I discovered (using a packet sniffer) that the Slammer virus is all over the network. I was able to trace it down to a handful of hosts that were running non-OEM software and without any anti-virus software. Of course, the security guys blamed networks because of their thinking "without networks, the virus wouldn't have entered". Oh well ... after shutting down their ports, they got the message and installed anti-virus softwares and updated the definition files.

alanchia2000 Mon, 03/16/2009 - 18:57

Well, I am not the manager of my network, so this is not within my jurisdiction. And I am task to execute this "one host per subnet" thingy.

Anyway, is PVLAN and VLAN ACL capable of doing it?

My worries are there are many levels of communications, for example:

1. Client to server

2. Server to server

3. Server to client

This is only going to make things worse with 1 host per subnet. If PVLAN and VLAN ACL can do the job. I will proceed with my studies on making this work in the context of security.

Leo Laohoo Mon, 03/16/2009 - 19:30

I hope you are paid good money because you are being asked to implement a solution that is only being used in a class (it's not even in a lab) environment.

Jon Marshall Tue, 03/17/2009 - 05:27

PVLAN's and VACL's will not necessarily make your job any easier as you have to isolate every single device and control traffic with acl's between every single device.

I appreciate you are not the network manager but perhaps a different approach is to ask security exactly what they want to achieve - not HOW they want it achieved as that is for the network designer to say.

If they give you a list of requirements you could then look into tools/technologies that will achieve what you need.

Note that "each host on it's own subnet" is not a requirement. A requirement would be "If a host on a subnet gets infected it's impact on the rest of the network should be minimal".

Now that could mean only hosts on the same subnet and not any others or it could mean no other hosts at all but this needs to weighed up against the extra administrative cost of managing the solution.

Ask security which machines are critical in the business - if they say every single one then get a new security dept :-). Seriously though perhaps if they categorized servers/desktops by their importance.

Don't assume security people know about networks. They may but they may not. Last company i worked for had a network that covered the entire UK with over 1000 sites and an MPLS WAN. One of the security guys had used Microsoft ISA server from his previous company to lock down DHCP requests and stated we should do the same. Looking into what he had used it became clear that what they did only worked with L2 networks and not across L3 routed networks. When i explained this to him he could not see the problem with turning our entire network into one L2 flat network. Funnily enough we didn't go ahead with that implementation :-).

None of us on this thread are trying to make your job harder. We are just saying that it really isn't a scalable solution at least not without tools that can automate an awful lot of the administration but even then it makes little sense.


lamav Tue, 03/17/2009 - 06:37

I agree with Jon 110%. The idea of placing each and every host in its own vlan is beyond overkill, its absurd.

We can all protect ourselves from infecting each other with germs and viruses by wearing astronaut suits all day, but how practical or reasonable is that?

Your network security team should be focusing on perimeter security ie, firewalling, IDS/IPS, etc. As an aside, I prefer separate appliances and not swich modules, if you use Cisco devices. Moreover, you can even implement a security paradigm in which you firewall between vlans within your enterpris, as companies who maintain sensitive client databases do to satisfy SOX and HIPAA requirements.

These are the things you can do from a network perspective.

Then the security/desktop support team needs to focus on personal security, like PC-based firewalls, virus scanners, etc.



alanchia2000 Tue, 03/17/2009 - 09:17

Hi Jon,

I appreciate your honesty and sincere advice in this matter. However, the point has been made in the first post. It must limit the damage done by a virus or even a zero day attack which I have trouble defending my argument.

And yes, I do strongly agree that PVLAN and VACL does not made my job any easier.

For me, I prefer to have my solutions simple and easy to maintain and thus strong. However, implementing "one host per subnet" is very prone to configuration issues and very very unscalable. I will put those cons in my proposal. If he accepts that, then it's I will have to deploy it.

csthorne Tue, 03/17/2009 - 14:07

Seems like it would be easier to set it up like the old telephone operator did. When someone wants to talk to another, just plug both into the switch, then after a prearranged time limit unplug both then wait for the next request.

Edison Ortiz Tue, 03/17/2009 - 14:31

Is it really true?


Just think how big the routing table would be on a 1k user site.

Your recommendation should concentrate at the WAN edge not the LAN edge. Most viruses attack come from the outside, not the inside and when it comes from the inside, it was caused by workstations that weren't properly patched.

The network can't solve the problem of having a flawed patching system for workstations.

At the WAN edge and even for internal edge monitoring, I recommend taking a read to the IOS documentation (Security section) for options:

You can implement IPS/IDS - Network Admission Control among other features available in IOS.

The client is looking at you as the expert - do your thing.



Leo Laohoo Tue, 03/17/2009 - 16:07

They are right. The Security people are already in the wrong to dictate the "solution" even though it's questionable. If you run with this, not only will your implementation will be difficult, but you might as well be under their control.

If you can't talk the Security team out of their half-baked solution, set up a proof-of-concept network to verify.

alanchia2000 Tue, 03/17/2009 - 17:47


Everyone, thanks for the suggestions. Unfortunately, the person proposing this solution is a network AND security person. By network, I mean he has many Cisco qualifications. And I am just only 1 paper away from my CCNP. I do know about the consequences about implementing his proposed solution, and yes, I am planning to set up a proof of concept to prove something.

If you do meet someone who has that many qualifications and is your superior. How much of convincing can you do?

The whole point is that he is trying to limit the damage that can potentially be done to the network. I do know a whole lot of tools which may solve that issue, but all those solutions require a signature which might not work on zero day attacks. So this is the one point I am unable to counter propose.

Tony.henry Tue, 03/17/2009 - 20:03


The idea is retarded. Whoever gets tapped to set this up is going to spend an awful lot of time setting up a lot of filters for something that should be dealt with in SOE policy such as regular software updates and locking down of machines so that users can't turn off the automatic virus updates.

If it's you then I feel sorry for you. I don't reckon it will be too long before your boss reconsiders however. The length of time to set up a users and inflexibility of the network would force me to have a rethink about it pretty quickly if I were him.

I presume you've expressed your opinion, if our bosses still want to do silly things after paying our salary so they don't listen to our opinions, then its their problem.

good luck

Tony Henry

Jon Marshall Wed, 03/18/2009 - 05:16

So if every host is on it's own subnet this will stop a zero day attack ?. Well it might, then again it might not. Each host presumably still needs to communicate with a server/server(s). And if that server is infected and the ports that are used to transmit the virus are the same ports that are needed for the client to be able to communicate with the server.

You want to stop zero day attacks. Unplug everything from the network, never connect to the Internet and only share data by printing it out. Sounds ridiculous ? - not much more ridiculous than what he is proposing.

The key points that need to be addressed -

1) What is it he is trying to protect. In no company i have ever worked is every single device on the network equal. What he is proposing is a shotgun approach ie. lets try to solve the problem with a one-size fits all solution.

2) Has he considered the traffic patterns of the network if every single device needs to route to communcate with any other device.

3) Has he proposed how these acl's will be managed. By the way if he is serious about security acl's are not the way to go. Stateful firewalling is needed and now things are really starting to get complicated.

He may have a lot of certifications, more than you, but that doesn't mean he is better than you. Doesn't mean he is worse either. A certification allows you to understand technologies and how they work together. But what it doesn't give you is experience. And although on paper this may seem like a great idea it simply isn't. Here is what i would propose

1) Use /25 or even /26 subnets for your clients.

2) On these client subnets make sure there is nothing that a client needs to communicate with ie. printers etc. need to go on their own subnets.

3) You can then use acl's/firewalls to lock down what ports the clients can use to connect to machines off their vlan.

4) Keep AV up to date on clients. Consider a heuristic agent as well that not only checks for signatures but also "abnormal" behaviour.

The above assumes if a virus gets onto one of the clients then the worse it can do is propogate within the vlan but not outside. Even this is debatable depending on the ports.

If your security guy says that isn't good enough ask him for his analysis of how important each client is to the business and how much cost there is to the business compared with how much cost there is in managing the solution. He has costed up managing the solution right ?

For the servers you can take a different approach. Yes by all means segregate servers by functionlity into separate vlans. IDS/IPS + firewalling are perfectly logical things to do.

Also on the Cisco site there are many useful papers on L2 and L3 security that could be used.

I appreciate it is diffcult for you but everybody on this thread has advised you it really isn't a manageable/sensible solution and there are some pretty experienced people on this thread.

The more complicated you make something the harder it is to manage. The harder it is to manage the more likely mistakes will be made. And the more mistakes you make the less secure your network will end up being.


lamav Wed, 03/18/2009 - 05:24

I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em.

All kidding aside, if this guy is really up the ladder from you, then this is the perfect opportunity for you to make him look like the moron that he is and take his position.

Present your case in bulleted fashion, offer solutions on the network level and the client level, and make sure you put the onus of proof on that jerk.

Jon Marshall Wed, 03/18/2009 - 05:29

"I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em."

Now i understand how you got to be where you are today :-)

lamav Wed, 03/18/2009 - 06:27


Come now, it's a dog-eat-dog world out there, my friend. Sometimes people need a little, how shall we say, convincing. LOLOL

By the way, have you seen Rick Burts? Havent "heard" from him lately on this board -- miss his stuff.

mark.cronin Wed, 03/18/2009 - 07:32

I thought I would add this to the mix

What about creating a MPLS network to obtain the segmentation required

For example create vrf's as follows

vrf for app Servers

vrf for file Servers

vrf for print servers

vrf for client A (multiple clients)

vrf for client B (multiple clients)

vrf for client C (multiple clients)

And then configure appropriate route leakage

This is just a topic for conversation not

a real world solution


Jon Marshall Wed, 03/18/2009 - 08:45

Oh dear, now the security guy will probably decide he wants one VRF per device just to be on the safe side :-)

Jon Marshall Wed, 03/18/2009 - 08:44

"By the way, have you seen Rick Burts?"

Not recently no. Maybe he's just taking a well earned rest...

Leo Laohoo Wed, 03/18/2009 - 15:27


"I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em." < --- How CRUDE! Do this the Filipino way ... switch his coffee/tea cream with Ex-Lax. He he he ...


Everyone in this forum topic is saying that the security "expert" (who probably got his certification from the back of a cereal box), is a dim-wit who probably doesn't know how to implement the solution in the first place.

My 2c ...

lamav Wed, 03/18/2009 - 16:52


By the way, "yoke 'em" means to get him in a headlock and punch him in the face real quick and walk away as if nothing happened. Just needed to clear that point, given that I mentioned that the "yoking" should take place in the bathroom. LOLOL

Leo Laohoo Wed, 03/18/2009 - 21:46


Anything (gruesome) can happen in a bathroom. But switching coffee/tea cream with Ex-Lax can eventuate with a "yoking" too. :)

alanchia2000 Thu, 03/19/2009 - 23:04

I do see how all the solutions proposed gels together. VRF and 1 host per subnet has to come together in order for this solution to work. BUT, I will try to convince my superior that the maintenance requires a huge overhead and dissuade him from using this solution.

Leo Laohoo Sun, 03/22/2009 - 17:39

You're right. In current financial situation, I'd mention that it would incur a significant amount of "financial" overhead: Developing, testing, implementation and support. With the majority to be done after hours, it would mean some overtime pay for you.

hobbe Thu, 03/26/2009 - 02:33

WTF ??? You have PAID OVERTIME ??

hmm I need to go talk to my boss now..

but I agree with it beeing a very very expensive solution, and there are better ways to get the same bang or more bang for the buck so to say.


This Discussion