NOC servers with public/private ip address

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 15 15:01:23 UTC 2001


On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
> 
> If you're talking about assigning RFC1918 space to router interfaces that 
> transit traffic, a la @home, keep in mind that this can break PMTU-D, and 
> makes for messy (and slow) traceroutes when external hosts try to resolve 
> unresolvable reverse DNS entries.  
> 
> If you're talking about giving the workstations in your 
> NOC private IP addresses, using NAT to access your core routers, I see no 
> more a problem with that than I do with people using home DSL routers that 
> utilize NAT.

There are those who would say using a NAT on a DSL router is evil. ;)

A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT.  The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem ;)

Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home ;)

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010815/096cc0c6/attachment.sig>


More information about the NANOG mailing list