Networking, Firewall, Group Planning Worksheet IPv4

For IT Pros: This page contains mathematical information about how to calculate IP address ranges for use with the campus firewall groups.

NOTE: This information is now considered legacy.  Moving forward with both IPv4 and IPv6 networks, it is strongly encouraged to specify only a single firewall policy for the entire network range.

Refer to this page for more details: Networking, Firewall, Service Participation


You may want to use the following worksheet when trying to segment your network:

Firewall group planning worksheet
Network number  
Subnet mask  
Number of IP #s on net  
Number of active hosts  
Firewall category Ideal number of hosts Closest power of 2
Lower........... Higher...........
Fully Closed
(+/- UI)
     
Fully Closed + Remote Admin
(+/- UI)
     
Mostly Closed
(+/- UI)
     
Mostly Closed + Remote Admin
(+/- UI)
     
Mostly Open
(+/- UI)
     
Fully Open      
Total  

General hints

If you want to place your hosts in more than one firewall group, start by dividing your IP space in half. Create your biggest group first, at either the beginning or the end of your IP space. Keep dividing the remainder of space in halves to get the ranges that you want.

Netmasks from /24 (including 256 hosts) to /31 (including 2 hosts) will give you the best granularity levels for arranging your groups.

Example worksheet #1:

Firewall group planning worksheet
Network number 172.21.8.0
Subnet mask 255.255.255.0
Number of IP #s on net 254
Number of active hosts 200
Firewall category Ideal number of hosts Closest power of 2
Lower........... Higher...........
Fully Closed 220 128 256
Mostly Closed 10 8 16
Mostly Open 10 8 16
Fully Open 14 8 16
Total 254

Case 1:
Each department can utilize six IP ranges. Obviously to get 220 (or a number close to that), we are going to have to use more than one IP range for Fully Closed.

128 + 64 + 32 = 224, which is close to what we want.

Let's start by taking 1/2 of our IP range (128) hosts and assign that range to Fully Closed.

128 hosts are included in a /25 netmask, 64 hosts are included in a /26 netmask, and 32 hosts are included in a /27 netmask.

The netmasks 172.21.8.0 /25, 172.21.8.128 /26, and 172.21.8.192 /27 would give us the range of IP addresses from 172.21.8.0 to 172.21.8.223 for Fully Closed. This follows the NDO recommendation for putting the networking equipment in the Fully Closed category.

That would leave us 32 addressses to assign to the other three groups:

172.21.8.224 /28 gives 16 hosts (224 to 239) for Fully Open
172.21.8.240 /29 gives 8 hosts (240 to 247) for Mostly Open
172.21.8.248 /29 gives 8 hosts (248 to 255) for Mostly Closed

And we have used 6 IP ranges for the firewall groupings.

 

Case 2:
Let's take the same numbers but say we could get by with 192 addresses for Fully Closed even though we had indicated that 220 was ideal. We really need to have at least 10 hosts in Mostly Open and Mostly Closed.

128 + 64 = 192 addresses

128 hosts are described by /25, and 64 hosts are described by /26.

172.21.8.0 /25 and 172.21.8.128 /26 combine to give us 192 addresses for Fully Closed (from 172.21.8.0 to 172.21.8.191).

This leaves 64 addresses (from 172.21.8.192 to 172.21.8.255) for the other three groups:

172.21.8.192 /27 = 32 hosts (192 to 223) for Fully Open
172.21.8.224 /28 = 16 hosts (224 to 239) for Mostly Open
172.21.8.240 /28 = 16 hosts (240 to 255) for Mostly Closed

In this scenario we have used 5 groups on the firewall. Again the networking equipment range is in the Fully Closed category.

Example worksheet #2:

Firewall group planning worksheet
Network number 172.21.8.0
Subnet mask 255.255.255.0
Number of IP #s on net 254
Number of active hosts 200
Firewall category Ideal number of hosts Closest power of 2
Lower........... Higher...........
Fully Closed 24 16 32
Mostly Closed 10 8 16
Mostly Open 20 16 32
Fully Open 200 192 224
Total 254

Case 1:
This department has determined that it has a need for at least 200 hosts in the Fully Open category. So they opt to have 224 IP numbers in the Fully Open category rather than 192. So 224 = 128 + 64 + 32 = netmasks of /25, /26, and /27.

172.21.8.128 /25 +
172.21.8.64 /26 +
172.21.8.32 /27 =
all hosts from 172.21.8.32 to 172.21.8.254 would be Fully Open.

But there are only 32 addresses left for the other categories. One possible division is

172.21.8.24 /29 = 8 hosts (24 to 31) for Mostly Open
172.21.8.16 /29 = 8 hosts (16 to 23) for Mostly Closed
172.21.8.0 /28 = 16 hosts (0 to 15) for Fully Closed
(remember, Technology Services recommends that you reserve part of this first range for networking equipment, so the actual number of IP numbers that can be assigned from this range is rather limited.)

Case 2:
The department has decided that some of the hosts it was going to put in the Mostly Open category could actually be a part of the Mostly Closed category. So a modified partitioning to reflect this may look like the following:

(172.21.8.128 /25 +
172.21.8.64 /26 +
172.21.8.32 /27 =)
an IP range of 172.21.8.32 to 172.21.8.254 for Fully Open

172.21.8.16 /28 = 16 hosts (16 to 31) for Mostly Closed

172.21.8.0 /28 = 16 hosts (0 to 15) for Fully Closed
(remember, Technology Services recommends that you reserve part of this first range for networking equipment, so the actual number of IP numbers that can be assigned from this range is rather limited.)



Keywords:
IP address, IP ranges, firewall groups, firewall, Firewall group planning worksheet, Subnet, mask, Fully Closed, Remote Admin, Mostly Closed, Mostly Open, Fully Open, power of two 
Doc ID:
47962
Owned by:
Network E. in University of Illinois Technology Services
Created:
2015-03-03
Updated:
2020-07-22
Sites:
University of Illinois Technology Services