[c-nsp] Best Practices for Enterprise networks

[Zach Wilkinson]

> Hello.  I am tyring to gauge what the Best Practices are for Enterprise 
> network connections to the Internet.  Specifically, to NAT or not to NAT? 
> At what point should NAT-ting be performed ... exclusively at the Egress 
> point or at decentralized points?  What about firewalling - 
> centralized/decentralized?

It depends on the structure of your IT organization--centralized vs 
decentralized.
If there is only one IT group for your entire enterprise than you can NAT 
immediately since your corporate backbone, LAN or WAN, could benefit from 
the vast address space of RFC1918 addresses and the, likely, sole DMZ can 
house all internet facing services.
If there are multiple IT groups with autonomy from the others then NATing 
should be up to them, and real IP addresses should be used.  The 'network' 
that connects them to the internet is just an intermediate nsp that just 
happens to be run by another department.  The reason for this is that as 
autonomous IT groups there is nothing preventing them dropping the internal 
internet connection and getting their own from an outside provider.  If they 
do that and you've custom engineered the central network for each department 
then that's work you have to do to move their services off the central 
network.
(Hmm, I guess that's kind of a tangent... It comes from working at a 
university)

Anyway, the point is to NAT as few levels as possible.  Optimally you 
shouldn't NAT more than once in your entire organization.  NAT can be 
difficult to manage as well as troubleshoot, but with the right design can 
work well and provide many benefits.


>
> Thanks in advance for any feedback!
>
> Tracy Smith
> tsmith at illinois.net
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>