Re: 16 bit subnet segmentation
- From: RickyVene <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Aug 2006 15:30:01 -0700
I'll try that segmentation, but what is the best way to do that? By bridges
or by router segmentation.
How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using the
PPTP protocol. Is it advisable to go to ipsec?
Thanks,
Ricky
"Phillip Windell" wrote:
You can add two 24bit segments alongside of the existing ones and migrate to.
the new segments over a period of time. If you can wittle down the 16bit
segment to less than 254 Hosts and have them grouped into IP#s that fall
into a 24bit range,...then all you have to do is change the mask. At that
point even the mask can be changed over time because both a 16 and 24 bit
mask would work for those simultanously.
Once the original 16 segment is split into 24bit segments you could even get
rid of the new ones you created that aren't needed anymore. It is up to you
how to deal with that.
Once you are out of the woods with all this,...always keep your segment at
254 hosts or less (24bit mask). Ethernet looses effieciency after about 300
hosts per segment. It is even true with gigbit however it just isn't as
noticable to "humans".
IPSec is not meant for running between every Host on a LAN. That is
horrible. IPSec has a high overhead. It was intended to be used in a
"point-to-point" situation like maybe a WAN link between two sites.
IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
encrypting the packets. On the Local LAN your Switches already do that by
isolating the session between a pair of "talking" hosts to its own "virtual
circuit". You have to specifically configure the Switch with a Monitoring
Port to use a Sniffer. So you don't need IPSec for that.
You can do "firewall-like" filtering with IPSec too, but you can do that
without IPSec anyway, so what's the point? Plus the LAN has to be almost
"wide open" just to function normally, so there isn't a lot of filtering
even possible there.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9596A79B-CDFF-4E5A-A9D1-B269091F5224@xxxxxxxxxxxxxxxx
Hi,
I have a 16 bit subnet which is hard to administer especially with Network
speed.
I disable my ghost because it's a network killer.
Can I do segmentation with 16 bit subnet with another router?
I need also to implement IPSEC. Does this going to be a big impact on it?
Can't change my subnet, it's a big task and additional fees because our
integrated VOIP, UNIX and others are already in-placed.
Please advise.
Thanks,
Ricky
- Prev by Date: Re: Prioritize TCP/IP traffic
- Next by Date: Re: How does your company keep employees from loading apps on their PCs?
- Previous by thread: Re: DHCP Server Lease setting lost after restart
- Next by thread: Re: 16 bit subnet segmentation
- Index(es):
Relevant Pages
|
|
