You understood correctly. You should be firewalling as I describe regardless of your addressing scheme. ALWAYS ONLY PERMIT ADDRESS RANGES LEAVING YOUR NETWORK THAT SHOULD BE LEAVING YOUR NETWORK. Always.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Ken Hohhof" <af...@kwisp.com> To: af@afmug.com Sent: Saturday, January 23, 2016 2:36:21 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... Well, you can assign globally routable addresses and then block them at the border. Or you can assign them addresses from local space. Which is easier and less prone to error? Maybe I misunderstood what you meant by not having separate management and public subnets? From: Mike Hammett Sent: Saturday, January 23, 2016 2:30 PM To: af@afmug.com Subject: Re: [AFMUG] you know you've crossed that threshold when.... Well, firewall and\or null routing. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Mike Hammett" <af...@ics-il.net> To: af@afmug.com Sent: Saturday, January 23, 2016 2:26:26 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... It already is on all of the big networks. You should be firewalling at all edges of your network (provider, peer and customer) anyway. You should only be allowing through traffic that you intend to leave your network. That would include router interfaces, servers, customer networks, etc. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Ken Hohhof" <af...@kwisp.com> To: af@afmug.com Sent: Saturday, January 23, 2016 2:17:59 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... Why would you put infrastructure on a public subnet, even with IPv6? Even if it’s a needle in a haystack, I would not want management IPs to be globally routable. From: Mike Hammett Sent: Saturday, January 23, 2016 2:04 PM To: af@afmug.com Subject: Re: [AFMUG] you know you've crossed that threshold when.... Except in v6 you'll see a departure from separate management and public subnets. It'll all be one. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "CBB - Jay Fuller" <par...@cyberbroadband.net> To: af@afmug.com Sent: Saturday, January 23, 2016 2:02:56 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... we use pretty much the same subnet in ipv4 for the first part .... in a.b.c.d a and b are pretty much the same ----- Original Message ----- From: Mike Hammett To: af@afmug.com Sent: Saturday, January 23, 2016 1:29 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... Ehhhhh, It might even be easier. You're supposed to use the bit boundaries (4 or 8 bits, I forget which) to be your progression of infrastructure. /48s for customers, /40 for a site (allowing 256 subnets per tower site), /32 for company, meaning 256 sites. Just as long as you have a pattern to your site layout or devices on a given subnet... ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Josh Reynolds" <j...@kyneticwifi.com> To: af@afmug.com Cc: memb...@wispa.org Sent: Saturday, January 23, 2016 12:51:32 PM Subject: Re: [AFMUG] you know you've crossed that threshold when.... DNS is an amazing thing. Try doing what you are doing now with IPV6. :) On Jan 23, 2016 12:29 PM, "CBB - Jay Fuller" < par...@cyberbroadband.net > wrote: <blockquote> Hm, i know i put up a site there, but i can't remember the subnet/ip address anymore... i can name over 90% of our subnets, but there are some today i have to look up... </blockquote>
