I consulting for a small company that also owns an ISP. The company portion itself has a working internal network, that is setup correctly and the ISP side contains a working management network, that we can access internally, but is NAT'd. I personally have not grown to like this setup, since it means that our management VLAN is routed on our core router, and technically possible to access from CPE's. The design I was thinking is to create much like our internal company network, a separate smaller network, that would route the management networks, not allowing them to be accessible from the customer premise. I have also looked at ACL's as an option if keeping the VLAN gateway on the core router is a better practice, but I just feel like that could be harder to troubleshoot in the future if things change or more networks are added, or exceptions are made. I have kind of laid out how things are set up currently: https://imgur.com/a/ybDuz8N and the proposed changes: https://imgur.com/a/Z9nE72r.
So my question is mainly, are ACL's a better option, or to isolate the management network off the core router (If NAT'd, the management devices could also access the internet through NAT, currently they cannot since the core router does not NAT) or is there another design that I am missing?
No comments:
Post a Comment