Export (0) Print
Expand All
ABS
AND
ASC
COS
DAY
DDB
EXP
FV
IF
INT
LEN
LN
LOG
MAX
Me
MID
MIN
MOD
NOT
IS
NPV
ODD
OR
PI
PMT
PV
SIN
SLN
SUM
SYD
T
TAN
VAR
Expand Minimize

Internet Space Network

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

To conserve Internet IP addresses, the Internet Platform andOperations group used a subnet of class C network with a net maskof 28 bits, which provided four host address bits and 14(2 4 -2) usable public registered addresses.

All IP addresses in this paper are fictitious and are listed asexamples only; they are not the actual addresses used in thisdeployment. For the purposes of this paper, the following are IPaddresses in the Internet Space network:

  • Network: 200.100.1.0

  • Subnet mask: 255.255.255.240

  • Subnet number: 200.100.1.16

  • Subnet broadcast address: 200.100.1.31

  • Available network addresses: 200.100.1.17 - 200.100.1.30

The network address assignment is as follows:

  • Cisco Router Internal Interface: 200.100.1.17

  • NAT Public IP: 200.100.1.18

  • BIG-IP External Virtual IP (VIP): 200.100.1.19

  • BIG-IP External Dedicated IP (DIP) 1: 200.100.1.20

  • BIG-IP External DIP 2: 200.100.1.21

  • HTTP VIP: 200.100.1.22

The pair of F5 BIG-IP controllers forms a fail-over cluster, sothey need a VIP in addition to the DIPs on each of their NICs.

A VIP is created for the HTTP traffic for load balancing Webtraffic to the front-end Web servers in the Front End network. TheInternet Platform and Operations group registered a wildcard DNSentry with the Public DNS server for iponet.net zone so that allsites resolve to the same IP address:

*.stsbeta.iponet.net resolves to 200.100.1.22

The NAT solution saves public IP addresses and provides an extralevel of protection because the servers running Windows SharePointServices are not exposed to the Internet directly. To furthersecure the network, the Internet Platform and Operations groupapplied an outbound IP access list on the Fast Ethernet Interfaceof the Cisco Systems router to allow only incoming HTTP and SSL(HTTPS) traffic.

Note: The traffic comingfrom the Internet to the network goes through the router before itgets to the network, so this access control list must be applied tooutbound traffic.

The following is an example of an IP access list that allowsonly HTTP and SSL traffic into the network.

Example IP access list

ip access-list extended EXAMPLEpermit tcp any any gt 1023 establishedpermit tcp any host 200.100.1.22 eq 80permit tcp any host 200.100.1.22 eq 443
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft