Announcement

Collapse
No announcement yet.

Valid Network Design?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Valid Network Design?

    Hi All,

    I'm hoping someone can help me to get my head around this concept. Refer to the attached network diagram.

    Is this a valid network design? The reason I’m not sure is because the /24 subnet used in the DMZ is also part of the /16 subnet used on the LAN. I think this will work by configuring the routes on R1 and FW1 as shown. Since a directly connected subnet will take precedence over a route I believe it will work.

    Even though it does work, is it bad practice?

    Thanks in advance,
    Gareth

    Note: For R1 Routing table the next hop should be 10.120.254.2 (the address of FW1)
    Attached Files
    Last edited by Jenkers88; 1st February 2015, 19:10. Reason: Missing information

  • #2
    Re: Valid Network Design?

    Can you please explain where the /16 network is.

    Can't you use a different subnet for your DMZ?

    Comment


    • #3
      Re: Valid Network Design?

      yep.. you have no /16 there
      you've got several /24s
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Valid Network Design?

        The /16 route would cover every route that wasn't more specific (i.e the DMZ route). Since 10.120.5.0/24 is not directly connected it would be sent to FW1.

        Comment


        • #5
          Re: Valid Network Design?

          Both of your routing statements are wrong, as printed. Your original post included the correction for the next hop for the R1 statement, so you've got that covered. However, your routing statement for the firewall, and the logic you gave us in your final post, assumes there could never be a fault where the DMZ leg has failed. As soon as that leg is not available, your logic falls down and any traffic intended for the DMZ leg would go to the router, which would send it back to the firewall, which bounces it back to the router, ad infinitum.

          If you want this to work correctly, use individual routing statements from the firewall to the router for the 2 legs the router knows about. If the DMZ leg goes down, any packets destined for that leg die without creating traffic problems anywhere else.

          But to simplify things even more, change the address range of the DMZ to something completely unrelated to your internal network; say 172.16.31.0/24. It's a private network so won't route on the Web, and isn't part of your 10.120.0.0 / 16 network. In practice, the traditional 3-leg firewall model you're using usually has the DMZ totally removed from the 'trusted' internal network space the firewall is trying to protect, in part to avoid just the problem you're facing.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: Valid Network Design?

            Originally posted by RicklesP View Post
            ... which would send it back to the firewall, which bounces it back to the router, ad infinitum.
            Not infinitely thanks to the TTL.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Valid Network Design?

              Originally posted by Jenkers88 View Post
              Is this a valid network design? The reason Iím not sure is because the /24 subnet used in the DMZ is also part of the /16 subnet used on the LAN.
              You're confusing networks with route summarization.

              Having overlapping IP networks (say, using 10.120.0.0/16 in one location and 10.120.5.0/24 somewhere else) would be an invalid configuration, but routing 10.120.5.0/24 to one gateway and having a summary route for 10.120.0.0/16 pointing somewhere else is perfectly valid. In fact, every single network connected to the Internet has a routing setup like that, as the default route (0.0.0.0/0) covers the entire IP address space, including all internal networks.

              The way IP routing works, a specific route entry is always preferred over a more general one. An entry routing 10.120.5.0/24 via gateway A will take precedence over a route directing 10.120.0.0/16 via gateway B.

              One of your routes are still wrong, though. You cannot tell R1 to route traffic via 10.120.5.1, as R1 doesn't have an IP address in the 10.120.5.0/24 network, and thus cannot use 10.120.5.1 as a next-hop router. All next-hop gateways must be in directly reachable, connected networks. The route entry for 10.120.5.0/24 on R1 must therefore point to the IP address of FW1 in the 10.120.254.0/24 network (to which R1 is in fact directly connected).

              Comment

              Working...
              X