ISP block - TCP-IP

This is a discussion on ISP block - TCP-IP ; My upstream provider has given us a /24 IP block that we would like to use. I already have a WAN /30 that they have given us and we use that to connect our firewall to their gateway for internet ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ISP block

  1. ISP block

    My upstream provider has given us a /24 IP block that we would like to
    use. I already have a WAN /30 that they have given us and we use that
    to connect our firewall to their gateway for internet traffic.

    What are my best practices for getting the rest of the ip addresses
    set for use. Do I need my own DNS server, what gateway am I using for
    this.

    Any help please. I am familar with LAN networking now ISP and WAN
    networking so I just need a push in the right direction.

    Thanks

    R

  2. Re: ISP block

    In article
    <33dcb0ef-503e-461a-8979-b95da8398c7a@l64g2000hse.googlegroups.com>,
    ramcneilly@gmail.com wrote:

    > My upstream provider has given us a /24 IP block that we would like to
    > use. I already have a WAN /30 that they have given us and we use that
    > to connect our firewall to their gateway for internet traffic.
    >
    > What are my best practices for getting the rest of the ip addresses
    > set for use. Do I need my own DNS server, what gateway am I using for
    > this.
    >
    > Any help please. I am familar with LAN networking now ISP and WAN
    > networking so I just need a push in the right direction.


    Since you have a firewall, you should probably use the /24 for static
    NAT addresses that go to different servers on your LAN or DMZ. Although
    I'm surprised that you need a whole /24 for this -- do you really have
    over 100 servers that need to be distinguished by address?

    The ISP should be routing the /24 block to the segment that connects
    your firewall to the gateway, and the firewall will handle the rest.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  3. Re: ISP block

    On Fri, 20 Jun 2008 16:18:36 -0700, ramcneilly wrote:

    > My upstream provider has given us a /24 IP block that we would like to
    > use. I already have a WAN /30 that they have given us and we use that
    > to connect our firewall to their gateway for internet traffic.
    >
    > What are my best practices for getting the rest of the ip addresses set
    > for use. Do I need my own DNS server, what gateway am I using for this.


    Sounds like a fairly normal and sane setup. Providers router gets one IP
    in the /30, your outside interface on the firewall the other.

    Inside, it doesn't really matter, but many people use the .1 address as
    the gateway address. Others the .254. Just a matter of personal
    preference. So that address goes on the inside interface.

    If you don't foresee any subdivision in the future, just use it as a /24,
    otherwise think about splitting it up. Most people don't split, but many
    others f.i. don't want Wintel together with other boxes. Also, you may
    want to create multiple DMZs so if one machine is hacked, others are
    unreachable. But that can also be done with a whole /24 and port security
    on the switches, which saves IP addresses (other setups are possible as
    well).

    Splitting up can have some advantages, but takes away flexibility.
    Changing this afterward is a pain in the ass, so give it some thought.

    If you do split in multiple subnets, obviously each needs it's own
    gateway address on the firewall.

    One nice trick for splitting, if your firewall supports it, is to use
    VLANs. Your inside interface on the firewall can be one physical
    interface that acts as a trunk and can firewall multiple VLANs. I used
    this trick successfully with Cisco PIX (now ASA) and Linux based
    firewalls, others should be able to do the same.

    If you also have a NATted LAN behind this Internet link, think if you
    want to split that off at the firewall and let the firewall do the
    natting or have a separate nat box in your DMZ (that /24, that is). I
    personally prefer the first, but Microsoft ISA is easier to set up with
    the second scenario. And if you need special natting needs that your
    firewall cannot handle, you have to do the second scenario.

    You do need reverse DNS, but you can either do that yourself, or your
    provider can do that for you. For either your provider has to set things
    up. If you don't have a DNS server for forward (domain) lookup, let your
    provider handle this. You just tell him a.b.c.d now should point to
    brandnew.www.mydomain.com.

    Ip addresses not in use should either have no reverse or something like
    unused.mydomain.com. Addresses in use should point to the canonical name
    of the host. In fact you can have multiple PTR records for an IP address,
    and probably should, but no one does that.

    Make it a practice to set up both forward and reverse DNS together. Don't
    forget the reverse when removing or changing forwards!

    >
    > Any help please. I am familar with LAN networking now ISP and WAN
    > networking so I just need a push in the right direction.


    There is not much to it apart from
    * Keeping your DNS straight
    * Get between everyones ears that the Internet is a hostile place and
    your now part of it.
    * Setting up a security policy
    * Setting up a firewall and DMZs.
    * Have the role accounts (postmaster@, abuse@) actively monitored for ALL
    domains

    Something else you may want to look at is that the provider uses fair
    queuing on both ends of your leased line, but any sane provider does
    that. What that means is that each flow gets it's own buffer in the
    router and these buffers are served round robin. This is essential in
    keeping the links with the least bandwidth (normally that is your leased
    line) flowing nicely and evenly. If you don't do this, any big down- or
    upload can completely destroy all other traffic on the link.

    Something else to look into is QoS, give some traffic priority and
    bandwidth guarantees over others. But that is fairly expensive and only
    really worthwhile (but then it's essential!) if you do VOIP over that
    link. And the VOIP case is often already in place nowadays, even on links
    that don't do any other QoS.

    HTH,
    M4

+ Reply to Thread