We've been all over the issue of using a 1 bit subnet mask as proposed in
the document below after one of our new employees challenged splitting our
Class C with a 1 bit mask as described below. While the firewall and routers
appear to handle this OK, our study and discussions with various networking
vendors indicate that the lowest subnet and highest subnet shouldn't really
be used as they are used by various routing protocols. Hence, the smallest
mask is supposed to be 2-bits which yields only 2 usable networks (01xxxxxx
and 10xxxxxx) and, on each of those, the lowest and highest addresses should
be avoided (01000000, 01111111, 10000000, and 10111111). That is, of the 256
possible addresses, only 124 are usable. Comments?
We've been running the configuration discussed (1 bit subnet) for several
years without a problem. We've been told recently that we've haven't had
problems since we run static routes on our DMZ and Internet segments but if
we did dynamic routing, we'd have problems. Since we're looking into 2
firewalls and potentially 2 ISPs feeding the Internet segment, I'd like to
know of any issues or concerns.
One other consideration regarding splitting the network into 2 pieces. Our
DMZ is the location where our private connections to business partners
reside: that is, hard-wired links. However, splitting our registered class C
into 2 parts does cause problems for these partners if they also do business
with Damark through the Internet. We've considered getting another class C
from our ISP but am not sure we could justify it for private connections.
Does anyone have any comments or experience on this?
Private replies are fine with me, especially since 2 of this topics are
probably not of wide interest.
> -----Original Message-----
> From: Chris Brenton [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, March 13, 1999 5:22 AM
> To: Jon Wright
> Cc: [EMAIL PROTECTED]
> Subject: Re: Addressing/subnetting necessary to implement DMZ
>
> Jon Wright wrote:
> >
> > We presently have a class C network with no subnetting that is
> > connected directly to the Internet via a router. Our "firewall"
> > is packet filtering implemented by the router. We have about 50
> > systems on the network.
> >
> > We are making a quantum leap forward and setting up a DMZ. We've
> > purchased a second router and intend to implement packet filtering
> > on it, too.
>
> May I suggest Cisco IOS 11.3 or higher? At least then the filtering will
> be dynamic.
>
> > My question for the list regards addressing and subnetting. Do we
> > need any special addressing scheme to make this work? Do we need
> > to subnet our class C network? Any general tips for implementing
> > this scheme?
>
> Well you will need to assign IP addresses between the two routers if you
> plan on locating systems there. This means you have two choices:
> 1) Get additional address space from your ISP
> 2) Subnet the address space you have
>
> If you apply a 255.255.255.128 subnet mask to the front of your address
> space, you get 126 useable addresses. This leaves half your address
> space free to do with as you please. You could use the whole thing on
> your DMZ or split the address space even further. For example if you use
> a 255.255.255.192 subnet mask on the last half of your address space,
> you create two subnets capable of supporting 62 hosts. If you do not
> need this many addresses on your DMZ, you can tweak the masks as
> required.
>
> Cheers,
> Chris
> --
> **************************************
> [EMAIL PROTECTED]
>
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
