[c-nsp] Best Practices for Enterprise networks
Zach Wilkinson
zachw at termdex.com
Mon Aug 30 14:13:56 EDT 2004
> Hello. I am tyring to gauge what the Best Practices are for Enterprise
> network connections to the Internet. Specifically, to NAT or not to NAT?
> At what point should NAT-ting be performed ... exclusively at the Egress
> point or at decentralized points? What about firewalling -
> centralized/decentralized?
It depends on the structure of your IT organization--centralized vs
decentralized.
If there is only one IT group for your entire enterprise than you can NAT
immediately since your corporate backbone, LAN or WAN, could benefit from
the vast address space of RFC1918 addresses and the, likely, sole DMZ can
house all internet facing services.
If there are multiple IT groups with autonomy from the others then NATing
should be up to them, and real IP addresses should be used. The 'network'
that connects them to the internet is just an intermediate nsp that just
happens to be run by another department. The reason for this is that as
autonomous IT groups there is nothing preventing them dropping the internal
internet connection and getting their own from an outside provider. If they
do that and you've custom engineered the central network for each department
then that's work you have to do to move their services off the central
network.
(Hmm, I guess that's kind of a tangent... It comes from working at a
university)
Anyway, the point is to NAT as few levels as possible. Optimally you
shouldn't NAT more than once in your entire organization. NAT can be
difficult to manage as well as troubleshoot, but with the right design can
work well and provide many benefits.
>
> Thanks in advance for any feedback!
>
> Tracy Smith
> tsmith at illinois.net
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list