[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
Not off track Anders - spot on. The wonders of DHCP! Tell all the clients about the new route and voila. I would agree with the other post, that starting out with a subnet of a larger class is wiser and easier to grow into. Or you could take the easy route and give them another RFC1918 class. Robert - - Robert P. MacDonald, Network Engineer Team Lead, e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> "Reed Mohn, Anders" <[email protected]> 11/30/00 6:31:03 PM >>> > >Uhhm.. I might be off-track here, >but what happens to a client in >the 10.0.0.0/8 network who wants to >talk to someone in 10.250.1.0/24? > >Since any 10.0.0.0 address is assumed to >be local, no packet ever makes it to the >FW/router/gateway. > >Or..? > >Anders :) > >-----Original Message----- >From: Christine Tran [mailto:[email protected]] >Sent: 30. november 2000 23:06 >To: [email protected] >Subject: Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 >net > >From: "Greg Winkler" <[email protected]> >Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net > >> We use a 10.x.x.x network internally per RFC 1918. Up until today I've >> used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to >> all of my internal hosts. > >God I can't imagine what your arp table might look like! :) > >> Ideally I would have an object that included all of my >> 10.x.x.x networks EXCEPT for 10.250.1.x. > >Why not just create 2 objects: ClassA = 10.0.0.0/8, ClassC = >10.250.1.0/24. >FW1 doesn't care. When you write your policy, make sure all the rules >for ClassC are on top of the rules for ClassA. The sieve effect will deal >with your ClassC first, anything else is implicitly !ClassC, ergo your >ClassA rule gets it next. At the end of your ClassC rule bloc explitcitly >drop stuff for your ClassC, so your ClassA rules don't "accidently" get >packets >that didn't match your ClassC rules. > >For routing, the same principle applies, more specific to less specific. >Just make sure you have routes defined for 10.0.0.0/8 (general) as well as >10.250.10.0/24 (specific). > >Why is this hard? Am I missing something really obvious? > >CT ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|