Questions about "Tips for Deployment"

[hzc12321]

Referring to the "Tips for Deployment" example :

1. If I want to setup a small-scale, physically isolated lab, without using public IP, probably even without BGP announcement (In a lab environment, I don't need a BGP route to route traffic to Gatekeeper, I can put a static route into the uplink router), would it be possible? The example already assumed a data center uplink, which is not practical for me to start from.

2. Why does the Gatekeeper and Grantor server have network links other than front and back interfaces(those links without front or back labelled)?

3. Can I generally assume that external network = public IP network (Internet) and internal network = private IP network? But I noticed that you have defined the external network as 1.2.3.0/24, can you explain why is it a /24 subnet and not any public IP please?

4. Why do the Grantor servers need public IP?

5. Why are there 2 Grantor servers if when this simple example is meant to help users on getting started? Because one Grantor server should be able to make things run, minimally, right? Or is there a significance of doing so that I didn't notice?

Apologies for any stupid questions asked, I'm new to this topic and would really appreciate if anyone can guide me through the process of getting started.

[AltraMayor]

1. If I want to setup a small-scale, physically isolated lab, without using public IP, probably even without BGP announcement (In a lab environment, I don't need a BGP route to route traffic to Gatekeeper, I can put a static route into the uplink router), would it be possible? The example already assumed a data center uplink, which is not practical for me to start from.

That is correct. You can replace BGP with static routes in your testbed.

2. Why does the Gatekeeper and Grantor server have network links other than front and back interfaces(those links without front or back labelled)?

The wiki page Tips for Deployments is meant to help people deploying Gatekeeper in production, so it touches needs that go beyond a minimum testbed. In production, it's common for machines to be present in different physical networks, so that's reflected on that page. Notice that that example is simple in production since it has a single vantage point. If you document your testbed online, your documentation may help others get started.

3. Can I generally assume that external network = public IP network (Internet) and internal network = private IP network? But I noticed that you have defined the external network as 1.2.3.0/24, can you explain why is it a /24 subnet and not any public IP please?

Yes, an external network is a public IP network, and an internal network is a private IP network. In the example, the network prefix 1.2.3.0/24 is announced to the Internet and is under the Gatekeeper's protection.

4. Why do the Grantor servers need public IP?

It is meant to simplify the example by avoiding adding more routes and/or routers. This is used in production, so the example shows common practice.

5. Why are there 2 Grantor servers if when this simple example is meant to help users on getting started? Because one Grantor server should be able to make things run, minimally, right? Or is there a significance of doing so that I didn't notice?

Because this example is meant to help users deploy Gatekeeper in production. You can make Gatekeeper work with a single Grantor.

Apologies for any stupid questions asked, I'm new to this topic and would really appreciate if anyone can guide me through the process of getting started.

Those were fair questions.