NOC servers with public/private ip address
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Aug 15 15:01:23 UTC 2001
On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
>
> If you're talking about assigning RFC1918 space to router interfaces that
> transit traffic, a la @home, keep in mind that this can break PMTU-D, and
> makes for messy (and slow) traceroutes when external hosts try to resolve
> unresolvable reverse DNS entries.
>
> If you're talking about giving the workstations in your
> NOC private IP addresses, using NAT to access your core routers, I see no
> more a problem with that than I do with people using home DSL routers that
> utilize NAT.
There are those who would say using a NAT on a DSL router is evil. ;)
A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT. The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem ;)
Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010815/096cc0c6/attachment.sig>
More information about the NANOG
mailing list