Re: NOC servers with public/private ip address

[Valdis.Kletnieks () vt edu]

On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
> If you're talking about assigning RFC1918 space to router interfaces that 
> transit traffic, a la @home, keep in mind that this can break PMTU-D, and 
> makes for messy (and slow) traceroutes when external hosts try to resolve 
> unresolvable reverse DNS entries.  
>
> If you're talking about giving the workstations in your 
> NOC private IP addresses, using NAT to access your core routers, I see no 
> more a problem with that than I do with people using home DSL routers that 
> utilize NAT.

There are those who would say using a NAT on a DSL router is evil. ;)

A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT.  The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem ;)

Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home ;)

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: