DNS - IPv6
-
NAT does not really add any specific protection. Your firewall does what you describe, not the NAT.
-
Moving away from NAT is a core drive for IPv6. I'm doubtful that NAT devices will even be offered. IPv6 is designed specifically to not have NAT any longer.
-
@dafyre said:
@Reid-Cooper said:
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
Personal preference for myself is that I would not drop NAT if my networks used IPv6 internally. I like that very much as a layer of security for protecting my end-user machines from being exposed directly to all the nasties on the public internet.
I don't think your devices will be any more visible on the internet then they were before. Everything would still go through a firewall or router.
-
@coliver said:
@dafyre said:
@Reid-Cooper said:
Where IPv6 is important is that it allows you to drop NAT and have public addresses, rather than private, for every host on the network.
Personal preference for myself is that I would not drop NAT if my networks used IPv6 internally. I like that very much as a layer of security for protecting my end-user machines from being exposed directly to all the nasties on the public internet.
I don't think your devices will be any more visible on the internet then they were before. Everything would still go through a firewall or router.
Exactly, still firewalled and blocked from the Internet twice, at a minimum, once at the network edge firewall device and a second time on the per-device firewalls running on every OS.
But it makes the network a lot more powerful. Things like VoIP's RTP protocol and FTP will "just work" instead of having all of the weird NAT traversal issues that they have today. And no more port forwarding, just port opening. Every network can host as many services as it wants instead of having to have crazily complex rules to map many public IPs to many private IPs that have no correlation with one another.
-
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get in. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
-
@Jason said:
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get it. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
That's for later?
-
@coliver said:
@Jason said:
NAT is just address translation doesn't do any blocking your firewall does that. Just because you know where somethings at doesn't mean you get it. It's like saying you are granted access to a building just because you know the address.
We use some NAT internally but I hate it. But when you do lots of mergers it comes with the territory you can't go re-scoping everything and breaking stuff right away.
That's for later?
The rescoping yes, the breaking hopefully not, we get to know the systems and how they are setup more fully (but still possible.)
-
@DustinB3403 said:
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
I also have several subnets. But considering what I know today, I'm looking to move to a single /23 or /22. Because of switches you don't have to worry about 1000 devices being in the same subnet anymore. Sure broadcast storm could bring you down, so you have to fix those quickly, but you'd have to anyway.
I'm not looking forward to reworking my network for a /22 though, ug!
At least I only have around 200 devices. 4/5's are DHCP, but the darn phones is the biggest pain, currently not DHCP. -
I've done the move before, with a little good planning it is surprisingly simple and painless. Normally, at least.
-
@Dashrender said:
@DustinB3403 said:
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
I also have several subnets. But considering what I know today, I'm looking to move to a single /23 or /22. Because of switches you don't have to worry about 1000 devices being in the same subnet anymore. Sure broadcast storm could bring you down, so you have to fix those quickly, but you'd have to anyway.
I'm not looking forward to reworking my network for a /22 though, ug!
At least I only have around 200 devices. 4/5's are DHCP, but the darn phones is the biggest pain, currently not DHCP.I did this move two years ago. Don't forget about your printers... those can be a pain to deal with.
-
We have so many different subnets it's going to be take us a while to move to IPv6.
-
@scottalanmiller said:
I've done the move before, with a little good planning it is surprisingly simple and painless. Normally, at least.
Frankly I'd prefer to jump directly to IPv6, but like the rest i have many printers that don't support IPv6. I wonder if my IP phones do? Not that I need to really worry about them.
-
So glad that we are basically printerless
-
@Dashrender said:
@scottalanmiller said:
I've done the move before, with a little good planning it is surprisingly simple and painless. Normally, at least.
Frankly I'd prefer to jump directly to IPv6, but like the rest i have many printers that don't support IPv6. I wonder if my IP phones do? Not that I need to really worry about them.
I would hope so, all of our phones and printer support IPv6.
-
@coliver said:
@Dashrender said:
@DustinB3403 said:
Otherwise we'd have a rather flat network if we ran IPv6. Compared to the 5 subnets we have.
I also have several subnets. But considering what I know today, I'm looking to move to a single /23 or /22. Because of switches you don't have to worry about 1000 devices being in the same subnet anymore. Sure broadcast storm could bring you down, so you have to fix those quickly, but you'd have to anyway.
I'm not looking forward to reworking my network for a /22 though, ug!
At least I only have around 200 devices. 4/5's are DHCP, but the darn phones is the biggest pain, currently not DHCP.I did this move two years ago. Don't forget about your printers... those can be a pain to deal with.
Yep - main things that have static IPs - Printers, Phones, Server and Switches!!
-
@Jason said:
@Dashrender said:
@scottalanmiller said:
I've done the move before, with a little good planning it is surprisingly simple and painless. Normally, at least.
Frankly I'd prefer to jump directly to IPv6, but like the rest i have many printers that don't support IPv6. I wonder if my IP phones do? Not that I need to really worry about them.
I would hope so, all of our phones and printer support IPv6.
Dymo label print servers don't support IPv6
-
@Dashrender said:
Yep - main things that have static IPs - Printers, Phones, Server and Switches!!
You have phones with Staitc IPs? that's a lot of trouble for nothing.
-
@Dashrender said:
Dymo label print servers don't support IPv6
I wouldn't know, we consider those consumer grade they break too much. We use ones like these:
-
@Jason said:
You have phones with Staitc IPs? that's a lot of trouble for nothing.
I didn't set them up, the vendor did, 8 years ago.
The new building we just did uses DHCP for the phones - it was kinda nice.. there are two DHCP servers on the same LAN, the phone system has one with a small range only for the phones, and only responds to requests that have a MAC in a qualified range.How the phones don't take an IP from my Windows DHCP if it responds first, is beyond me - but so far no issues.
-
@Jason said:
@Dashrender said:
Dymo label print servers don't support IPv6
I wouldn't know, we consider those consumer grade they break too much. We use ones like these:
OMG dude! $1600? NO WAY! We have 8 Dymo's that cost a total of $300 each. I could replace every unit 5 times and still have money left over for those of those. Plus the Dymo's aren't so unreliable as to make the expense worthwhile (i.e. save support time to warrant the expense).
