Internet Space Network
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
To conserve Internet IP addresses, the Internet Platform andOperations group used a subnet of class C network with a net maskof 28 bits, which provided four host address bits and 14(2 4 -2) usable public registered addresses.
All IP addresses in this paper are fictitious and are listed asexamples only; they are not the actual addresses used in thisdeployment. For the purposes of this paper, the following are IPaddresses in the Internet Space network:
Subnet mask: 255.255.255.240
Subnet number: 220.127.116.11
Subnet broadcast address: 18.104.22.168
Available network addresses: 22.214.171.124 - 126.96.36.199
The network address assignment is as follows:
Cisco Router Internal Interface: 188.8.131.52
NAT Public IP: 184.108.40.206
BIG-IP External Virtual IP (VIP): 220.127.116.11
BIG-IP External Dedicated IP (DIP) 1: 18.104.22.168
BIG-IP External DIP 2: 22.214.171.124
HTTP VIP: 126.96.36.199
The pair of F5 BIG-IP controllers forms a fail-over cluster, sothey need a VIP in addition to the DIPs on each of their NICs.
A VIP is created for the HTTP traffic for load balancing Webtraffic to the front-end Web servers in the Front End network. TheInternet Platform and Operations group registered a wildcard DNSentry with the Public DNS server for iponet.net zone so that allsites resolve to the same IP address:
*.stsbeta.iponet.net resolves to 188.8.131.52
The NAT solution saves public IP addresses and provides an extralevel of protection because the servers running Windows SharePointServices are not exposed to the Internet directly. To furthersecure the network, the Internet Platform and Operations groupapplied an outbound IP access list on the Fast Ethernet Interfaceof the Cisco Systems router to allow only incoming HTTP and SSL(HTTPS) traffic.
Note: The traffic comingfrom the Internet to the network goes through the router before itgets to the network, so this access control list must be applied tooutbound traffic.
The following is an example of an IP access list that allowsonly HTTP and SSL traffic into the network.
Example IP access list
ip access-list extended EXAMPLEpermit tcp any any gt 1023 establishedpermit tcp any host 184.108.40.206 eq 80permit tcp any host 220.127.116.11 eq 443