LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1997, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1997, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Class "A" vs. Class "C"
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Fri, 14 Mar 1997 00:17:07 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (40 lines)

Phil ESGUERRA wrote:

> We have been using unregistered  class A IP adresses for our internal networks
> for about a decade now. About 3 years ago, we started using registered
> Class "C" IP addresses from NIC.

> Our class A addresses are in the "10.x.x.x" thru "10.100.x.x" ranges.
> Some of our users are able to go out into the Internet using the 10.x.x.x.
> address, when the subnet mask is 255.0.0.0.

The 10.x.x.x address range is an IANA standard "private" network number.
Private numbers are for internal networks and are expressly forbidden
from being routed across the backbone.  You say "some users are able to
go out into the Internat" and that's scary - *don't do that*.  Don't
let those routes be advertised outside your border router and you should
configure your router not to pass those routes, and don't advertise them
on any externally-addressable DNS either.

> Our firewalls are on the class C IP addresses.
> So the question is: Are there any reasons for us to convert to class C?
> I say that security is enhanced if we could remain in Class A, and convert
> class C PCs to class A, and leave the Internet machines in class C.

What you need is network address translation (NAT).  This translates
internal addresses to external (in your case, A to C) to keep you legal.
NAT can work with static assignments, or can "pool" a group of class C
addresses for dynamic assignment on external requests.  This feature is
available on higher-end cisco routers in IOS release 11.2 (maybe sooner)
or else their dedicated hardware solution PIX (Private Internet Exchange)
which is a standalone box (not unlike a firewall in architecture).  To
make NAT/PIX work, you must setup internal machines on one DNS system
with internal addresses, and externally advertised separate DNS to give
out the class C addresses (statically assigned for servers/etc).

But by no means can you route these addresses externally, at least not
up to the backbone.  You'll be smacked on the head by the core providers
if they find you're advertising these routes :-)

Jeff Kell <[log in to unmask]>

ATOM RSS1 RSS2

RAVEN.UTC.EDU