Networking, Firewall, The Network Tree IPv4
NOTE: This information is now considered
legacy. Moving forward there should only be one firewall policy for an entire network range.
Refer to this page for more details: Networking, Firewall, Service Participation
Introduction to the visual approach
Put in visual terms, the rules for participation in campus firewall groups can be restated in another way:
- You can create a valid network tree by dividing your network size
by 2, and continuing to divide each branch until you reach either a
single IP address or the smallest size network cluster that you wish to
define.
- You must make sure that all the IP addresses in your network space belong to one (and only one) selected "leaf" of the tree.
- You can select no more than six "leaves," and must cover your complete network space with the leaves you select.
Examples
In the examples below, five leaves are selected to define a network range containing 128 hosts. (This leaves a sixth leaf available for the IP addresses from 128 to 256, in order to cover a 256-unit IP space in the six segments permitted to users of the campus firewall; however, including all 256 units in these graphics would make the page unreadable.)
Figure 1: The network tree
Because of the nature of binary calculation, a network containing 128 addresses will begin at 0 and end at 127, and each leaf will begin on an even number (including 0). In each of the squares above, the top number is the number of addresses in that segment of the network, and the bottom numbers are the particular IP addresses included.
Selecting your leaves
There are three points to keep in mind when selecting your first leaf:
- The first leaf must contain the first address in the network segment.
This is to ensure that the entire network range can be selected, in accordance with the rule that states that "all IP addresses must be covered."
- Your first leaf should probably contain at least 16 addresses. (It may be helpful to select a leaf containing more.)
While not a hard and fast rule, the Network Design Office recommends that you allow at least 10 IP addresses for network equipment at the very beginning of a network space.
- Your first leaf should probably be assigned to the Fully Closed group.
Again, this is not an absolute, but network equipment should normally be assigned to a Fully Closed group. (As noted above, you may wish to make this IP range larger than what network equipment alone would require, since many workstations should also be in a Fully Closed group.)
To illustrate these three points, the following example network is using the 64-address leaf from 0-63 as its first selection, shown below in Figure 2.
Figure 2: The first node
After your first leaf has been selected, we return to the rule stating that "all IP addresses must be covered" for assistance in determining what leaves are valid for a second selection.
In this case, since the first leaf ends with address 63, the second leaf must begin with 64, as shown above. You can choose whichever size leaf you wish, but the next one must be numerically adjacent to the first.
Figure 3: The second and third nodes
In this example, we've selected the 8-unit node from 64 to 71 as our next leaf.
While it is possible and permissible to continue subdividing leaves to 4, 2, and 1, the restriction on the number of groups that may be added to the firewall means that medium to large subnetworks won't use such small divisions very often. (In addition, continuing to subdivide to that scale would have made the graphic too large even for high-resolution screens.)
Therefore, the third leaf selected is the 8-unit node from 72 to 79. (The 16-unit node above it cannot be selected because it does not begin with 72, as pointed out by the green circles in the graphic below.)
After these two nodes have been selected, we arrive at a choice of leaves once more: there are 16-unit and 8-unit nodes available that begin with address 80, shown below.
In this case, let's select the 16-unit node for our fourth. Choosing smaller leaves means that you need more groups to cover from one end of the range to another, and the upper limit is 6.
Figure 4: The fourth node
After selecting the 16-node leaf from 80 to 95, another decision point is reached; several leaves begin with 96.
Technically, any of them could be chosen; however, choosing the 8-node would mean that it would require the use of at least 7 leaves to cover the full range. You could use your 6-leaf allotment by selecting the two 16-nodes. You could also use 5 leaves for this 128-node network segment and reserve the 6th for another future network segment.
Figure 5: The fifth node
For the sake of the example, we've chosen the 32-node leaf from 96 to 127 to finish the IP range.
This network distribution follows each of the rules and suggestions for creating campus firewall-compatible network subdivisions:
- (Required) Each IP address in the network space from 0 to 127 is included and belongs to one and only one group.
- (Required) Each range begins on a subnet maskable number.
- (Required) There are six or fewer groups used to describe the entire range.
- (Recommended) The first group contains at least 10 IP addresses.
- (Recommended) The first group can be assigned to the Fully Closed group.
From pictures to IP addressses and netmasks
The following table shows how to translate from leaves back to addresses, with the assistance of the netmask table in the Powers of Two page:
Leaf size | is equivalent to | Subnet mask | combined with | Starting address | to give | Leaf addresses |
64 | ( -> ) | /26 | ( + ) | 0 | ( = ) | 0-63 |
8 | ( -> ) | /29 | ( + ) | 64 | ( = ) | 64-71 |
8 | ( -> ) | /29 | ( + ) | 72 | ( = ) | 72-79 |
16 | ( -> ) | /28 | ( + ) | 80 | ( = ) | 80-95 |
32 | ( -> ) | /27 | ( + ) | 96 | ( = ) | 96-127 |
Using the "starting address" column as the IP address and the "subnet mask" column as the range delimiter, you can translate the graphic shown above into the following series of IP ranges for submission to the campus firewall service:
- Firewall group 1 - 192.168.0.0 /26
- Firewall group 2 - 192.168.0.64 /29
- Firewall group 3 - 192.168.0.72 /29
- Firewall group 4 - 192.168.0.80 /28
- Firewall group 5 - 192.168.0.96 /27
As mentioned above, the first range should probably belong to the Fully Closed group. For similar reasons, it may also be useful to make your final group a Fully Closed group; some network devices may also be placed at the high end of the range, and Fully Closed is the most secure firewall group. You can choose whichever firewall groups you wish, however.