"Scotchy" <mrwizard@donotreplytothisemailaddressbecauseitwon twork.com> wrote
in message news:...
> We have three PIX firewalls each with 4 DMZs and an inside interface. We
> are trying to come up with a addressing scheme that lets us identify the
> addresses from our network and know where they are. One though was to use
> 10.0.0.0-10.255.255.255 with each byte representing a location. For
example
> 10.PIX#.INTERFACE.0 which could be something like PIX1 on interface 4
would
> be 10.1.4.0, and PIX2 interface 4 would be 10.2.4.0, and also PIX2
> interface 1 would be 10.2.1.0, etc.
>
> The other thought is use a smaller range for example it would be
> 10.PIX#INTERFACE.0.0 or in the above example PIX1 on interface 4 would be
> 10.14.0.0, and PIX2 interface 4 would be 10.24.0.0, and also PIX2
interface
> 1 would be 10.21.0.0, etc.
>
> Is this crazy or are there better ways?
>
Just an assumption but, if you have 15 zones, you may have a large number of
hosts. The scheme you are planning might be constraining because you have
left yourself only one octet for host addresses (254).
I was taught to subnet using leftmost bits and host addresses from the
right. It would require some mental gyration on your part, but if you use
128, 64, 192 (leftmost bits in the second octet) for inside zone(s) of your
three firewalls and the rightmost bits of the second octet for the DMZs, you
can still figure-out which DMZ belongs to which firewall.
E.g. - 129 would be DMZ1 of PIX1, 130 DMZ2, etc.
You have to visualize the 128, 64, & 192 as "backwards binary" for 1, 2, & 3
and the rightmost bits of the second octet in normal sequence. I know this
sounds confusing but, if you map the bits out on paper, it should make sense
to you.
Anyway, this will leave you 16 bits for host addressing in each of the zones
(less network and broadcast bits).
If this doesn't make sense to you, just ignore it.
|
Similar Threads
