multiple prefixes

[Phil Mayers]

On 02/10/2013 08:26 AM, Brian E Carpenter wrote:
> On 10/02/2013 01:34, Erik Kline wrote:
>>> I certainly know that it's doable, I'm more curious to know how much the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into using two prefixes because of the privacy options ($WORK is health care, so some data is highly sensitive), but there may be other reasons to use two prefixes.
>>
>> I believe I would just use privacy/temporary addresses by default, and
>> pull MAC<->L3 mappings off the switches/routers for the purposes of
>> auditing.  That way you're more likely to notice when someone changes
>> IP addresses (IPv6 or otherwise).
>>
>
> That would be a possibility. Personally I'm a fan of using a ULA prefix
> for traffic that you must keep internal. It isn't magic: you have to ensure
> that the border routers have ACLs to block them, and you may want to
> use internal-only DNS names for ULAs.

Can you give an example of this use-case, and maybe highlight how it's 
different than just ACLing / firewalling the "server" subnet off? I'm 
having a hard time understanding the added value of ULA in this 
scenario, or how getting "internal only" traffic onto ULA addresses 
helps prevent it "going external" - isn't that what a routing table 
does? I'm sure I must be missing something...