> > Who do you propose to bribe @ RIPE to get a /24 ? Can you pass me > their > > details via pm :-) > > Well, it's just 256 addresses, which is not excessive.
I remember those days :-). It was 1994.... (cue the flashback LOL). > I have a /24 > myself (thinly populated so far, but vservers can fill up space > very quickly) for a business of mine, Agreed, I assume these are providing something other than [80,443]/tcp. > but this is for my dayjob which > is getting a GBit Ethernet fiber connection (only 100 MBit/s > used, for time being). It's a very good deal, since we're paying > about the same as the 2 MBit/s SDSL we have now (there's an ISP > in the same building, so that's why). Handy, Things must be different in Germany Eugene, trying to get a 24 here in the UK sometimes requires the sacrifice of small barnyard fowl to appease the allocation gods. :-) One has to commit to using certain %ages of the allocated space within a fixed time period. > > None, TBH you'll be exceedingly lucky to get anything larger than > /27-28, > > The paperwork to justify it is worse than pulling teeth. > > Here in the UK most ISPs will provide /28s & /29s without much > hassle. > > We need at least at /26, and should have no issues getting it. > The point is whether a /24 inside and a /24 outside would be easier > to map, since no longer requiring NAT. Would it? (I realize it > would be an awful waste of address space). Unless you absolutely, positively require a 1:1 mapping for ingress traffic flowing to internet facing services on those hosts, there is no need for it IMHO, in fact doing so, is likely to make the policy, more rather than less complex. For egress traffic, static NAT may be required for handling protocols such as GRE, (assuming the edge device doesn't do something clever with the call id header) > > Depending on what your requirements are, you could conceivably get > away with > > something as small as a /30. > > For anything bigger, I would tend to utilise a /30 for the outside, > with the > > So this means 4 addresses, which use NAT? Why not just one NAT address? It's not 4 addresses, it's two usable ones, less the network & broadcast addresses. One for the firewall, one for the ingress interface on the next hop. Assuming a HA pair of firewalls, on the external interface one can utilise RFC1918 addresses in a /29 subnet to allow firewalls + CARP/VRRP/HSRP vips to fit. With the external router statically routing the two real registered addresses to the firewall clusters virtual IP address. The firewall can then address translate egress traffic appropriately. > > > rest hung from a real addressed DMZ, this allows easy propagation of > routes to/from whatever IGP you're using. > > Can you expand a bit on how and why this is a good thing? Because you don't have to address translate at the edge to get to/from the DMZ. One can advertise routes internally and externally to/from the same real address space. Making the creation of backup routes in case of failure much simpler. It also minimises the need to split DNS. > > Mixing different trust levels on the same switch is rather frowned > upon. > > Because of potential vulnerabilities in the switch OS, allowing an > attacker to reassign VLANs? Yes. The switch may be in a locked cabinet/cage, but never say never when it comes to internet facing equipment. Things like setting protected ports etc are essential in this scenario. > > At the very least you should configure up PVLANS on the switch. > > I'm not sure our consumer-grade (Netgear) switches can do PVLANs. > I can use a dedicated dumb switch for the DMZ and the no-access > machines, of course. That will do. I am a fan of using switches trunked into firewalls, it beats the hell out of using tens of NICs and is far more scalable. > > > Or consider a sandwich design with edge and internal firewalls, with > a layer > > 3 switch hosting same trust level VLAN separated DMZs in between. > > I'm not sure I can get another firewall approved, I work for people > who I had severe trouble explaining why one needs to buy new switches > and new firewall at all. (Yeah, I should quit, I know). LOL, sounds familiar. Greg
