More stuff to manage if we push it out to the CPE. I know this is mean to say, but most customers are STUPID and keeping it centralized reduces our support load. Give them enough rope, they hang themselves. We used to do lots more on the CPE, but between bad power supplies, lost passwords, software upgrades, "power users", etc. we find our time is better spent managing it all centrally. Also, customers might exist in several locations, we can give them the same 1918 network in all locations, run NAT for them, do VPNs for them, bring L2TP DSL into the fray, and only bill them for traffic that goes "out to the Internet" quite easily. (apologies to vendors watching) but I really think this "push intelligence out to the edge" concept is entirely vendor invented to sell more stuff. There are more edge devices than core devices..... Dan. Andy Dills wrote:
On Wed, 4 Jun 2003, Dan Armstrong wrote:
90% of our customers all use private address space. We only give out real address space to customers that have servers that need to be visible. We run NAT on several customer facing routers.
Cool stuff we can do is setup PPTP VPNs on the same router to give people "access from home" to their LAN. Same with L2TP/ILEC DSL.
Problems include:
We have a big nat pool on each router. If some twerp customer gets infected with some windoze crap, tracking it down can be a bit more work.
Until recently, the IOS could not take huge volumes of NAT without tossing it's cookies from time to time.
We have been toying around with VRFs & NAT which was recently introduced in the IOS, and it appears that in a NAT situation, the VRFs "leak" between each other, which scares the crap out of me. We are going to wait for a couple of revisions of the IOS before looking into that again.
Why on earth would you do anything other than push NAT responsibility to the end-user CPE?
So you can do the aforementiond "cool stuff"?
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---