Because
you need to know how to communicate with intermediary devices, they should have
predictable addresses. Therefore, their addresses are typically assigned
manually. Additionally, the addresses of these devices should be in a different
range within the net-work block than user device addresses.
Addresses for
Routers and Firewalls
Unlike
the other intermediary devices mentioned, routers and firewall devices have an
IPv4 address assigned to each interface. Each interface is in a different
network and serves as the gateway for the hosts in that network. Typically, the
router interface uses either the lowest or the highest address in the network.
This assignment should be uniform across all net-works in the corporation so
that network personnel will always know the gateway of the network no matter
which network they are working on.
Router
and firewall interfaces are the concentration point for traffic entering and
leaving the network. Because the hosts in each network use a router or firewall
device interface as the gateway out of the network, many packets flow through
these interfaces. Therefore, these devices can play a major role in network
security by filtering packets based on source and/or destination IPv4
addresses. Grouping the different types of devices into logical addressing
groups makes the assignment and operation of this packet filtering more
efficient.
When
addresses for devices are grouped by similar functions, you can create rules to
address the group of devices instead of having to create individual rules for
each device. A single rule can be created using a summary address rather than
an individual rule for the address of each device. This allows the devices to
have fewer security rules, which greatly streamlines the security function.
Table
6-14 shows an example of designing addressing groups for a network. In this
table, we have grouped the devices into four groups: user hosts, servers,
peripherals, and network-ing devices. Each of these device types is assigned to
a group of addresses inside its net-work. Each summary address for each group
is shown in the last column. This summary is created for use in security rules.
You will learn more about the summary addresses in later courses.
Table 6-14 Device Address
Groups Within the 172.16.x.0 /24 Network
|
Use
|
Low Address
|
High Address
|
Summary
Address
|
|
|
|
|
|
|
|
|
|
|
|
User hosts (DHCP pool)
|
172.16.x.1
|
172.16.x.127
|
172.16.x.0 /25
|
|
|
|
|
|
|
Servers
|
172.16.x.128
|
172.16.x.191
|
172.16.x.128 /26
|
|
|
|
|
|
|
Peripherals
|
172.16.x.192
|
172.16.x.223
|
172.16.x.192 /27
|
|
|
|
|
|
|
Networking devices
|
172.16.x.224
|
172.16.x.253
|
172.16.x.224 /27
|
|
|
|
|
|
|
Router (gateway)
|
172.16.x.254
|
—
|
172.16.x.224 /27
|
|
|
|
|
|
Tidak ada komentar:
Posting Komentar