Greenfield Access Network

Roland Dobbins rdobbins at
Thu Jul 31 16:24:22 UTC 2014

On Jul 31, 2014, at 8:23 PM, Colton Conor <colton.conor at> wrote:

> Is a firewall needed in the core?

No, quite the opposite:


> How would you build a access network from the ground up if you had the resources and time to do so?

I'd hire folks who have experience from both and architectural and operational perspectives, and who have the necessary local knowledge.  Most of the question you're asking (except the one about iatrogenic stateful firewalls) are situationally-specific, and aren't really going to be answerable in detail via a mailing-list, no matter the depth and breadth of expertise of many of those participating in said email list.

For example, you've asked nothing specifically about recursive or authoritative DNS infrastructure, although they're both key (you did mention DNS generically, which is good, but that's overly broad).  Nothing about availability and resiliency and telemetry visibility and network hardening.  Nothing about access policies, mitigation systems, quarantine systems, etc.  Nothing about upstream transit requirements, nothing about peering goals and imperatives.  Nothing about redundancy at any level/in any area/for any function.  And so forth.

I'm not criticizing you; I'm just trying to make the point that instead of concentrating on vendors and technologies and hardware and software, it's better to concentrate on *people* who have the requisite experience and expertise, and go from there.  There are lots of specializations and subspecializations, and it's important to have folks who have broad experience spanning multiple areas, as well as others who know *everything* in a given area.

While you can get some categorical advice, you can't really crowdsource the architecture, design, deployment, and operations of your network.


Roland Dobbins <rdobbins at> // <>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön

More information about the NANOG mailing list