Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ham2065
Explorer

External Topology and Addressing

Hi 

 

We have an ARIN assigned  /24 public range. The physical topology of external internet link is the typical ISP <> External Router <> Layer2 Switches <> Checkpoint ClusterXL. 

 

Is it best to use /24 for addressing the external Checkpoint ClusterXL interfaces/VIP or use a smaller /28 or /29 for addressing the external Checkpoint ClusterXL interfaces and then route the /24 range on the External Router to the Checkpoint ClusterXL VIP interface?

I know both will work but wanted to get some feedback on best practices and security considerations. Note - we also have DDoS protection/scubbing on the /24 range. As a result is it safer to use the first option?

 

 

0 Kudos
3 Replies
_Val_
Admin
Admin

Usually, external routable IPs are scares and expensive, so people are trying to be as economical as possible when defining the external subnet. But if you have /24, knock yourself out and have a party 🙂

From where I stand, these settings are not related to security but to networking.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Either way but routing the addresses towards the firewall and removing a reliance on proxy-arp gets my vote.

Also since you raised the DDoS topic you may opt only to route the used addresses and send the others to Null.

CCSM R77/R80/ELITE
0 Kudos
Sorin_Gogean
Advisor

My 2cents,

Even if an /24 sounds BIG, you will soon exhaust it 😁.

I would split it in many subnets, one for routing, one for DMZ, etc etc.

As for size of the splits, think loong run plans...

 

Thx,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events