On Fri, Jul 13, 2012 at 1:56 PM, <Jean-Francois.TremblayING@videotron.com>wrote:
-Hammer- <bhmccie@gmail.com> a écrit sur 13/07/2012 12:21:13 PM :
I like the ULA approach.
Global and ULA are two approach, but there's a third one: GUA + ULA. We actually put a GUA on servers speaking publicly, a ULA on servers speaking in our domain only and *both* ULA and GUA on servers which talk both ways. Our datacenter firewalls are configured to enforce GUA-GUA and ULA-ULA connections only (just simple URPF over two interfaces).
This setup works very well, surprisingly we've had very little source address selection problems so far (knock on wood). We're very happy that the separation between public and "private" networks is clear, it helps a lot with debugging and service separation.
Of the top of my head, the first problem you might hit there is WRT multicast ... *(ULA might "win" some source address selections that you want GUA to win)* /TJ