North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NOC servers with public/private ip address

  • From: Valdis.Kletnieks
  • Date: Wed Aug 15 11:04:49 2001

On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
> If you're talking about assigning RFC1918 space to router interfaces that 
> transit traffic, a la @home, keep in mind that this can break PMTU-D, and 
> makes for messy (and slow) traceroutes when external hosts try to resolve 
> unresolvable reverse DNS entries.  
> If you're talking about giving the workstations in your 
> NOC private IP addresses, using NAT to access your core routers, I see no 
> more a problem with that than I do with people using home DSL routers that 
> utilize NAT.

There are those who would say using a NAT on a DSL router is evil. ;)

A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT.  The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem ;)

Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home ;)

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Attachment: pgp00007.pgp
Description: PGP signature