On Tue, 4 Jan 2011, Brian E Carpenter wrote:
Wouldn't the rule "Use ULA prefix inside the site and PA prefix (with privacy addresses if desired) otherwise" be simpler? And, by default, it would prevent the "inside" address being exported by mistake.
Two prefixes in access lists doesn't seem simpler, though I see it could be an option in some other contexts. In our case, we have 20+ subnets which are not behind a single big firewall, so there is no "inside" and "outside". Also for that reason, using only globals would be preferable.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------