Different Subnet Masks 1

[BrotherJones]

this is probably more of a basic tcp/ip question, but I have gotten a couple of different answers. Essentially, I just saw a pix 515e, the outside interface has an ip address from the isp, the inside interface has an address of
10.0.10.3/8 The thing that throws me off is that the rest of the internal network has an ip scheme of 10.0.10.x/24
I was just curious as to why they would use an 8 bit mask on the pix's internal interface when the rest of the network uses a 24 bit mask? My next question is, are they on the same network? My guess is that as long as all the devices are on the same network segment, then yes they are all on the same network as 10 (the first octet) is really the main network. So 10.0.10.3/8 and 10.0.10.45/24 can communicate no problem as long as they are on the same network segment?

 

[Supergrrover]

OK, that is an odd setup.
Essentially with this setup the pix send packets to anybody with a 10.x.x.x network address. The internal network can only talk to systems with 10.0.10.x addresses. When they go through the masking process to see if the endpoint is local, they will get different answers depending on the IP of the endpoint. 10.0.10.x will be local and it will arp for the MAC and send the packet onto the wire. If the endpoint is anything else it will send it to the default gateway (pix) to route out (unless there is a route on that system to tell it otherwise.)
Now here's where things go sideways - when the pix gets something addressed to it that tells him to route it out another interface and it checks it's mask it will drop the packet. It's mask tells it that it was local to the subnet attached to that interface and believes it was an error. Now you have all sorts of intermittent connection errors depending on the IP of each box.

You can use this effectivly to restrict communications, but on the whole I believe it is a bad practice.


Brent
Systems Engineer / Consultant
CCNP, CCSP