Everytime I see private range addresses somewhere, I automatically think about Network Address Translation. But NAT and private addresses do not always need to be used together.
Take the following network:
Now suppose you have received a /22 public address range for your company, e.g. 123.45.68.0/22, which you then split up in subnets for your users and servers. Since IPv4 addresses are limited and you have three point-to-point links in the ‘Internal’ part of the network, you’re hesistant to go waste 12 addresses (three times a /30) on them. Sure you could use /31’s and use only 6 IP’s, but if the number of links increases, so do the wasted IP’s.
But if you give these links IP’s in the ranges 192.168.1.0/30, 192.168.1.4/30 and 192.168.1.8/30 and advertise them internally with whatever IGP you’re using, things will work too. You will need to filter any packets originating from these private ranges at the WAN edge router so they don’t reach the internet. Any hosts on the internet can’t reach the IP’s on the point-to-point links as they aren’t advertised to outside the company (added security!). Internally in your network, the private ranges become part of the network, without NAT. They can be pinged perfectly. You could even set up a subnet using private ranges for servers that must only be accessed internally (very secure, though automatic updates would not be so easy, I can imagine). For remote connectivity, VPN should allow access.
All in all, a real world implementation by this design may have some flaws, but it proves a point, and adds security in some sense.
We use private addressing to address our ISP core. It’s perfectly feasible.
Some of our own customers don’t even use public addresses through us. They’ll have 5 sites connected to us. Each site will be privately addressed. Our mgmt links to our router on each site will have private addresses. Those routers all connect into a VPLS, so customers can and do have overlapping address space.
The only time NAT is finally needed, is when they head out to the internet. They could have a single firewall at a site, or in our core with a single or multiple IP’s. But that again will only ever be used once it needs to get out to the internet
I was about to offer a correction on your mention of using /31 subnets for the internal links, assuming you meant /30. I’ve never seen /31 in a production environment, even in CCENT/CCNA/CCNP studying, but after some digging I found that RFC 3021 specifies /31 as a special case for point-to-points, and can be used in place of a /30, bypassing the ‘wasted’ IPs used as the broadcast and network addresses. Kudos for throwing that in, nice addition to my knowledge bank.
Great blog in general so far, keep it up.