Networking, Firewall, Group Planning Worksheet IPv4
NOTE: This information is now considered
legacy. Moving forward with both IPv4 and IPv6 networks, it is strongly
encouraged to specify only a single firewall policy for the entire
network range.
Refer to this page for more details: Networking, Firewall, Service Participation
You may want to use the following worksheet when trying to segment your network:
Firewall group planning worksheet | |||
Network number | |||
Subnet mask | |||
Number of IP #s on net | |||
Number of active hosts | |||
Firewall category | Ideal number of hosts | Closest power of 2 | |
Lower........... | Higher........... | ||
Fully Closed (+/- UI) |
|||
Fully Closed + Remote Admin (+/- UI) |
|||
Mostly Closed (+/- UI) |
|||
Mostly Closed + Remote Admin (+/- UI) |
|||
Mostly Open (+/- UI) |
|||
Fully Open | |||
Total |
General hints
If you want to place your hosts in more than one firewall group, start by dividing your IP space in half. Create your biggest group first, at either the beginning or the end of your IP space. Keep dividing the remainder of space in halves to get the ranges that you want.
Netmasks from /24 (including 256 hosts) to /31 (including 2 hosts) will give you the best granularity levels for arranging your groups.
Example worksheet #1:
Firewall group planning worksheet | |||
Network number | 172.21.8.0 | ||
Subnet mask | 255.255.255.0 | ||
Number of IP #s on net | 254 | ||
Number of active hosts | 200 | ||
Firewall category | Ideal number of hosts | Closest power of 2 | |
Lower........... | Higher........... | ||
Fully Closed | 220 | 128 | 256 |
Mostly Closed | 10 | 8 | 16 |
Mostly Open | 10 | 8 | 16 |
Fully Open | 14 | 8 | 16 |
Total | 254 |
Case 1:
Each department can utilize six IP ranges. Obviously to get 220 (or a
number close to that), we are going to have to use more than one IP
range for Fully Closed.
128 + 64 + 32 = 224, which is close to what we want.
Let's start by taking 1/2 of our IP range (128) hosts and assign that range to Fully Closed.
128 hosts are included in a /25 netmask, 64 hosts are included in a /26 netmask, and 32 hosts are included in a /27 netmask.
The netmasks 172.21.8.0 /25, 172.21.8.128 /26, and 172.21.8.192 /27 would give us the range of IP addresses from 172.21.8.0 to 172.21.8.223 for Fully Closed. This follows the NDO recommendation for putting the networking equipment in the Fully Closed category.
That would leave us 32 addressses to assign to the other three groups:
172.21.8.224 /28 gives 16 hosts (224 to 239) for Fully Open
172.21.8.240 /29 gives 8 hosts (240 to 247) for Mostly Open
172.21.8.248 /29 gives 8 hosts (248 to 255) for Mostly Closed
And we have used 6 IP ranges for the firewall groupings.
Case 2:
Let's take the same numbers but say we could get by with 192 addresses
for Fully Closed even though we had indicated that 220 was ideal. We
really need to have at least 10 hosts in Mostly Open and Mostly Closed.
128 + 64 = 192 addresses
128 hosts are described by /25, and 64 hosts are described by /26.
172.21.8.0 /25 and 172.21.8.128 /26 combine to give us 192 addresses for Fully Closed (from 172.21.8.0 to 172.21.8.191).
This leaves 64 addresses (from 172.21.8.192 to 172.21.8.255) for the other three groups:
172.21.8.192 /27 = 32 hosts (192 to 223) for Fully Open
172.21.8.224 /28 = 16 hosts (224 to 239) for Mostly Open
172.21.8.240 /28 = 16 hosts (240 to 255) for Mostly Closed
In this scenario we have used 5 groups on the firewall. Again the networking equipment range is in the Fully Closed category.
Example worksheet #2:
Firewall group planning worksheet | |||
Network number | 172.21.8.0 | ||
Subnet mask | 255.255.255.0 | ||
Number of IP #s on net | 254 | ||
Number of active hosts | 200 | ||
Firewall category | Ideal number of hosts | Closest power of 2 | |
Lower........... | Higher........... | ||
Fully Closed | 24 | 16 | 32 |
Mostly Closed | 10 | 8 | 16 |
Mostly Open | 20 | 16 | 32 |
Fully Open | 200 | 192 | 224 |
Total | 254 |
Case 1:
This department has determined that it has a need for at least 200
hosts in the Fully Open category. So they opt to have 224 IP numbers in
the Fully Open category rather than 192. So 224 = 128 + 64 + 32 =
netmasks of /25, /26, and /27.
172.21.8.128 /25 +
172.21.8.64 /26 +
172.21.8.32 /27 =
all hosts from 172.21.8.32 to 172.21.8.254 would be Fully Open.
But there are only 32 addresses left for the other categories. One possible division is
172.21.8.24 /29 = 8 hosts (24 to 31) for Mostly Open
172.21.8.16 /29 = 8 hosts (16 to 23) for Mostly Closed
172.21.8.0 /28 = 16 hosts (0 to 15) for Fully Closed
(remember, Technology Services recommends that you reserve part of this first range for networking equipment, so the actual number of IP numbers that can be assigned from this range is rather limited.)
Case 2:
The department has decided that some of the hosts it was going to put
in the Mostly Open category could actually be a part of the Mostly
Closed category. So a modified partitioning to reflect this may look
like the following:
(172.21.8.128 /25 +
172.21.8.64 /26 +
172.21.8.32 /27 =)
an IP range of 172.21.8.32 to 172.21.8.254 for Fully Open
172.21.8.16 /28 = 16 hosts (16 to 31) for Mostly Closed
172.21.8.0 /28 = 16 hosts (0 to 15) for Fully Closed
(remember, Technology Services recommends that you reserve part of this first range for networking equipment, so the actual number of IP numbers that can be assigned from this range is rather limited.)