Create a Post
Showing results for 
Search instead for 
Did you mean: 

External Topology and Addressing



We have an ARIN assigned  /24 public range. The physical topology of external internet link is the typical ISP <> External Router <> Layer2 Switches <> Checkpoint ClusterXL. 


Is it best to use /24 for addressing the external Checkpoint ClusterXL interfaces/VIP or use a smaller /28 or /29 for addressing the external Checkpoint ClusterXL interfaces and then route the /24 range on the External Router to the Checkpoint ClusterXL VIP interface?

I know both will work but wanted to get some feedback on best practices and security considerations. Note - we also have DDoS protection/scubbing on the /24 range. As a result is it safer to use the first option?



0 Kudos
3 Replies

Usually, external routable IPs are scares and expensive, so people are trying to be as economical as possible when defining the external subnet. But if you have /24, knock yourself out and have a party 🙂

From where I stand, these settings are not related to security but to networking.

0 Kudos

Either way but routing the addresses towards the firewall and removing a reliance on proxy-arp gets my vote.

Also since you raised the DDoS topic you may opt only to route the used addresses and send the others to Null.

0 Kudos

My 2cents,

Even if an /24 sounds BIG, you will soon exhaust it 😁.

I would split it in many subnets, one for routing, one for DMZ, etc etc.

As for size of the splits, think loong run plans...



0 Kudos