> > Quick question, assuming I can get a /24 public network, Who do you propose to bribe @ RIPE to get a /24 ? Can you pass me their details via pm :-)
> and have > a private /24 address (quite densely occupied), does it have any > advantages, > from the firewall simplicity point of view, or should I get for > a smaller network (say, /26)? None, TBH you'll be exceedingly lucky to get anything larger than /27-28, The paperwork to justify it is worse than pulling teeth. Here in the UK most ISPs will provide /28s & /29s without much hassle. > Some of the LAN machines need to have no access to the Internet nor LAN > (zone 0), most LAN machines do, but would be happy with NAT (zone 1), a > few need to live in DMZ space, firewalled from LAN (zone 2). Depending on what your requirements are, you could conceivably get away with something as small as a /30. For anything bigger, I would tend to utilise a /30 for the outside, with the rest hung from a real addressed DMZ, this allows easy propagation of routes to/from whatever IGP you're using. > I have 4 NICs, and VLAN-capable switches, so I was planning to do that > with VLANs, and work with a /26 public IP network. Does this make > sense, Mixing different trust levels on the same switch is rather frowned upon. At the very least you should configure up PVLANS on the switch. Or consider a sandwich design with edge and internal firewalls, with a layer 3 switch hosting same trust level VLAN separated DMZs in between. > or should I try getting a public /24 network, if I can get it? TBH, getting a 24 is not likely. Greg
