Hi,
We’re just finalising our plans for rolling out IPv6 with networking here and was wondering how other sites are handling data transfer zones/science DMZs/Firewall bypasses.
At the moment for IPv4 we’ve got a single /22 subnet for our whole cluster with all hosts in that subnet having the same router. The router then does policy-based routing and sends traffic from nodes in the top /25 of the /22 out along the bypass route to the site border router, traffic from hosts in the rest of the subnet gets send to the site core which then routes it out through the firewall as usual. Then the site border router does the opposite, traffic to the top /25 gets send of down the bypass and the rest goes through the firewall to the core.
For IPv6 we’re essentially planning the same thing (‘cept with rather larger numbers), we’ve got a /64 for our cluster and we’ll uses one of the higher bits (possibly the highest) of the host section to denote the bypass zone and then let the router and border router handle the routing.
Is there any reason why that might be a bad idea?
Thanks,
Chris
--
Dr Chris Brew
Scientific Computing Manager
Particle Physics Department
STFC - Rutherford Appleton Laboratory
Harwell Oxford,
Didcot
OX11 0QX
+44 1235 446326
|