Firewall Wizards mailing list archives

RE: Maximum number of subnets on a firewall

From: "Bill James" <bubbagates () comcast net>
Date: Sat, 31 Jan 2004 22:07:27 -0500

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paolo
Supino
Sent: Wednesday, January 28, 2004 2:32 PM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] Maximum number of subnets on a firewall

Hi 

  The following story and question aren't product specific so please
don't try to attach it to any available product: I was asked to plan a
network for a group of 3 companies (all located in the same building and
want to use the same infrastracture). From gathering the requirements of
each of the companies I've concluded that all of them together will need
10 subnets (including the subnet that is connected to the internet).
Since the biggest number of subnets per firewall that I ever installed
was 6. Setting up 10 subnets on 1 firewall (to me) seems too much for me
so I'm looking for a way to have the 10 networks on 2 (or 3) different
firewalls. If you have any suggestions on a possible layout I'd be very
happy to read it.

        Paolo
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Paolo,

   I would do 3 separate firewalls, one for each company with 2
interfaces in each or 3 if you need a DMZ. One interface can then become
the internal network and broken down to sub-interfaces (Unix based
Iptables) to allow the multiple subnets you need. The other interface
would then be considered the outside interface. You could also add a
physical interface for each internal subnet if you really want to. If
you have not done so already and if it's possible, you can combine the
subnet for each individual company to help reduce the administrative
overhead (ie...10.1.x.x, 10.2.x.x, and 10.3.x.x could be combined with
the mask of /14 or 255.252.0.0 instead of using the customary /16 or
255.255.0.0 mask)

                     /<--> Firewall C1 <--> C1 Internal Net
Internet <--> Router |<--> Firewall C2 <--> C2 Internal Net
                     \<--> Firewall C2 <--> C2 Internal Net

With 3 different firewalls you do not risk downing all 3 companies at
the same time should one firewall crash for some reason 

You can also get 2 PIX with multiple interfaces and run then in failover

Hope this helps

Bill

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Maximum number of subnets on a firewall Mikael Olsson (Jan 31)
- <Possible follow-ups>
- Re: Maximum number of subnets on a firewall Holger Kipp (Jan 31)
- RE: Maximum number of subnets on a firewall Bill James (Jan 31)
- Maximum number of subnets on a firewall Paolo Supino (Feb 16)
  - Re: Maximum number of subnets on a firewall Mark Tinberg (Feb 20)
- RE: Maximum number of subnets on a firewall Paolo Supino (Feb 21)