"william.wells" wrote:
>
> We've been all over the issue of using a 1 bit subnet mask as proposed in
> the document below after one of our new employees challenged splitting our
> Class C with a 1 bit mask as described below. While the firewall and routers
> appear to handle this OK, our study and discussions with various networking
> vendors indicate that the lowest subnet and highest subnet shouldn't really
> be used as they are used by various routing protocols.
You may want to consider changing vendors because they are obviously not
keeping up with the latest RFCs. ;)
When subnetting was first developed, the original RFC (1123) stated that
you had to drop the first and last subnet. This was to work around
problems with some older TCP/IP stacks when dealing with addressing the
network & broadcast addresses. Since .128 only creates two subnets, this
in effect made the mask useless under the original rules.
The rules have changed however. Per RFC 1878:
<quote>
The number of available network and host addresses are derived from the
number of bits used for subnet masking. The tables below depict the
number of subnetting bits and the resulting network, broadcast address,
and host addresses. Please note that all-zeros and all-ones subnets are
included in Tables 1-1 and 1-2 per the current, standards-based practice
for using all definable subnets [4].
Subnet Mask # of nets Net. Addr. Host Addr Range Brodcast Addr.
Bits of Subnet hosts/subnet
255.255.255.128 2 nets N.N.N.0 N.N.N.1-126 N.N.N.127
1 bit Class C 126 N.N.N.128 N.N.N.129-254 N.N.N.255"
</quote>
So the new RFC does not require that that you drop the first and last
subnet. This means that a mask of .128 yields two useable subnets. The
only time you really need to avoid subnet zero is if you are running old
or out-dated hardware.
> We've been running the configuration discussed (1 bit subnet) for several
> years without a problem. We've been told recently that we've haven't had
> problems since we run static routes on our DMZ and Internet segments but if
> we did dynamic routing, we'd have problems.
Not sure where they are getting this from. I know RIP has problems but
only because it expects all subnets to use the same mask. I've used
subnet zero with OSPF for a while now without a problem.
> One other consideration regarding splitting the network into 2 pieces. Our
> DMZ is the location where our private connections to business partners
> reside: that is, hard-wired links. However, splitting our registered class C
> into 2 parts does cause problems for these partners if they also do business
> with Damark through the Internet.
I guess I don't quite follow your concern. Is the problem that you are
afraid clients with Internet connectivity with be routed over the
Internet instead of over the WAN? If so a few route entries should fix
this problem.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
