For IT Pros: This page contains visual information about how to calculate IP address ranges for use with the campus firewall groups.
NOTE: This information is now considered
legacy. Moving forward with both IPv4 and IPv6 networks, it is strongly
encouraged to specify only a single firewall policy for the entire
network range.
Refer to this page for more details: Networking, Firewall, Service Participation
Put in visual terms, the rules for participation in campus firewall groups can be restated in another way:
In the examples below, five leaves are selected to define a network range containing 128 hosts. (This leaves a sixth leaf available for the IP addresses from 128 to 256, in order to cover a 256-unit IP space in the six segments permitted to users of the campus firewall; however, including all 256 units in these graphics would make the page unreadable.)
Because of the nature of binary calculation, a network containing 128 addresses will begin at 0 and end at 127, and each leaf will begin on an even number (including 0). In each of the squares above, the top number is the number of addresses in that segment of the network, and the bottom numbers are the particular IP addresses included.
There are three points to keep in mind when selecting your first leaf:
To illustrate these three points, the following example network is using the 64-address leaf from 0-63 as its first selection, shown below in Figure 2.
After your first leaf has been selected, we return to the rule stating that "all IP addresses must be covered" for assistance in determining what leaves are valid for a second selection.
In this case, since the first leaf ends with address 63, the second leaf must begin with 64, as shown above. You can choose whichever size leaf you wish, but the next one must be numerically adjacent to the first.
In this example, we've selected the 8-unit node from 64 to 71 as our next leaf.
While it is possible and permissible to continue subdividing leaves to 4, 2, and 1, the restriction on the number of groups that may be added to the firewall means that medium to large subnetworks won't use such small divisions very often. (In addition, continuing to subdivide to that scale would have made the graphic too large even for high-resolution screens.)
Therefore, the third leaf selected is the 8-unit node from 72 to 79. (The 16-unit node above it cannot be selected because it does not begin with 72, as pointed out by the green circles in the graphic below.)
After these two nodes have been selected, we arrive at a choice of leaves once more: there are 16-unit and 8-unit nodes available that begin with address 80, shown below.
In this case, let's select the 16-unit node for our fourth. Choosing smaller leaves means that you need more groups to cover from one end of the range to another, and the upper limit is 6.
After selecting the 16-node leaf from 80 to 95, another decision point is reached; several leaves begin with 96.
Technically, any of them could be chosen; however, choosing the 8-node would mean that it would require the use of at least 7 leaves to cover the full range. You could use your 6-leaf allotment by selecting the two 16-nodes. You could also use 5 leaves for this 128-node network segment and reserve the 6th for another future network segment.
For the sake of the example, we've chosen the 32-node leaf from 96 to 127 to finish the IP range.
This network distribution follows each of the rules and suggestions for creating campus firewall-compatible network subdivisions:
The following table shows how to translate from leaves back to addresses, with the assistance of the netmask table in the Powers of Two page:
Leaf size | is equivalent to | Subnet mask | combined with | Starting address | to give | Leaf addresses |
64 | ( -> ) | /26 | ( + ) | 0 | ( = ) | 0-63 |
8 | ( -> ) | /29 | ( + ) | 64 | ( = ) | 64-71 |
8 | ( -> ) | /29 | ( + ) | 72 | ( = ) | 72-79 |
16 | ( -> ) | /28 | ( + ) | 80 | ( = ) | 80-95 |
32 | ( -> ) | /27 | ( + ) | 96 | ( = ) | 96-127 |
Using the "starting address" column as the IP address and the "subnet mask" column as the range delimiter, you can translate the graphic shown above into the following series of IP ranges for submission to the campus firewall service:
As mentioned above, the first range should probably belong to the Fully Closed group. For similar reasons, it may also be useful to make your final group a Fully Closed group; some network devices may also be placed at the high end of the range, and Fully Closed is the most secure firewall group. You can choose whichever firewall groups you wish, however.