Internet Space Network

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

To conserve Internet IP addresses, the Internet Platform andOperations group used a subnet of class C network with a net maskof 28 bits, which provided four host address bits and 14(2 4 -2) usable public registered addresses.

All IP addresses in this paper are fictitious and are listed asexamples only; they are not the actual addresses used in thisdeployment. For the purposes of this paper, the following are IPaddresses in the Internet Space network:

  • Network:

  • Subnet mask:

  • Subnet number:

  • Subnet broadcast address:

  • Available network addresses: -

The network address assignment is as follows:

  • Cisco Router Internal Interface:

  • NAT Public IP:

  • BIG-IP External Virtual IP (VIP):

  • BIG-IP External Dedicated IP (DIP) 1:

  • BIG-IP External DIP 2:


The pair of F5 BIG-IP controllers forms a fail-over cluster, sothey need a VIP in addition to the DIPs on each of their NICs.

A VIP is created for the HTTP traffic for load balancing Webtraffic to the front-end Web servers in the Front End network. TheInternet Platform and Operations group registered a wildcard DNSentry with the Public DNS server for zone so that allsites resolve to the same IP address:

* resolves to

The NAT solution saves public IP addresses and provides an extralevel of protection because the servers running Windows SharePointServices are not exposed to the Internet directly. To furthersecure the network, the Internet Platform and Operations groupapplied an outbound IP access list on the Fast Ethernet Interfaceof the Cisco Systems router to allow only incoming HTTP and SSL(HTTPS) traffic.

Note: The traffic comingfrom the Internet to the network goes through the router before itgets to the network, so this access control list must be applied tooutbound traffic.

The following is an example of an IP access list that allowsonly HTTP and SSL traffic into the network.

Example IP access list

ip access-list extended EXAMPLEpermit tcp any any gt 1023 establishedpermit tcp any host eq 80permit tcp any host eq 443