On Wed, 4 Jun 2003, Dan Armstrong wrote:
More stuff to manage if we push it out to the CPE.
I know this is mean to say, but most customers are STUPID and keeping it centralized reduces our support load. Give them enough rope, they hang themselves. We used to do lots more on the CPE, but between bad power supplies, lost passwords, software upgrades, "power users", etc. we find our time is better spent managing it all centrally.
Well, wait. You either manage their router or you don't. I'm not following...so in your new setup where YOUR routers manage NAT, you now refuse to fix a problem on the CPE? If you manage the router, so they don't get a password, then do NAT there, at the CPE. If you don't manage the router, not having NAT on the CPE does nothing for you anyway, you still have the issue of stupid users breaking things.
Also, customers might exist in several locations, we can give them the same 1918 network in all locations, run NAT for them, do VPNs for them, bring L2TP DSL into the fray, and only bill them for traffic that goes "out to the Internet" quite easily.
Why would you want to only bill them for the egress bandwidth? You should be finding reasons to make that impossible, not the other way around. You running a non-profit over there? You seem to assume a network with a single NOC...I don't want to pay to backhaul Joe's file and print sharing between states so that he won't have to. As for the other reasons, still not convinced. This isn't as whacky as the guy who runs his entire ISP behind a NAT box, but I still don't see what efficiency you've created. The things you mention could be solved in other ways.
(apologies to vendors watching) but I really think this "push intelligence out to the edge" concept is entirely vendor invented to sell more stuff. There are more edge devices than core devices.....
How do you figure? The customer needs a router, period. Whether or not you do NAT on your router or their router should be a function of how much other stuff your router does. If the customer needs a router regardless, there are no more devices being sold. If you have to fix CPE problems unrelated to NAT _anyway_, why create potential problems at your edge (let's set ourselves up for a multi-day outage for most of our high-margin customers!) by doing the NAT for them, when you could push that to their router? Hell, unless there is a DOS underway, we make our customers filter there own packets too. Why? That's the way it should be done. I'll repeat your last sentence: "There are more edge devices than core devices"...yes, and more CPEs than edge devices. That's hierarchy at work...the point is that "work" (anything other than forwarding packets) must be pushed as far away from the core as possible. Furthermore, there's a general principle of "easy to manage, easy to break" at work here. Implement NAT in one box, if NAT breaks, every single customer attached dies. Implement NAT in one box for each customer, and if NAT breaks, a single customer dies. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---