On Jul 12, 2011, at 5:31 PM, Tom Ammon wrote: > On your management nets (network device management nets) , what's the best > approach for addressing them? Do you use ULA? Or do you use global addresses > and just depend on router ACLs to protect things? How close are we to having > a central registry for unique local addresses, and will that really happen?
We allocate a /64 per subnet as that's what most of the management hosts expect. We also build the CoPP/ACLs in a comparable way for the ipv6 afi as one does for the ipv4 afi to protect the device from unauthorized access. having access to a trusted net will get you a response to your SYN, you still need the ability to auth past that point to various devices/systems. Getting on that trusted net and protecting it is clearly something important. Certainly one can go crazy with trying to secure ones networks by wrapping it in 802.1x with various backing systems. I do recommend making sure your security practices are sensible and not forgotten. Nothing like having a machine on the 'trusted' lan becoming compromised. Never know what's going to happen :) - Jared
