Re: 16 bit subnet segmentation

---

• From: "Neteng" <neteng.ccie@xxxxxxxxx>
• Date: Tue, 29 Aug 2006 12:54:06 -0500

---

You'll need another NIC in the ISA box or you'll need to buy a router.

"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E22363D1-A5A0-4323-BA5D-EEF761534F38@xxxxxxxxxxxxxxxx

Can you tell me the basic connections? I have ISA 2004 edge firewall. So
how I connect this on the internal?

Thanks,
Ricky

"Neteng" wrote:

As Phillip mentioned, a router.

"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8FDAC361-3975-436A-9BC3-0986845D1D22@xxxxxxxxxxxxxxxx

Are you saying that 16 bit segments can communicate with 24 bits? By

what

devices I need to use?

Please advise more.

Thanks,
Ricky

"Phillip Windell" wrote:

"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07E26D90-19FA-4317-B453-8BD412AD1817@xxxxxxxxxxxxxxxx

I'll try that segmentation, but what is the best way to do that?

By

bridges
or by router segmentation.

Bridges are just another name for Switches. Switches are Layer2.

Segmenting

is Layer3, Routers are Layer3,...so you have to use a Router. There

are

a

lot of devices being sold now that are both a Router and a Switch in

the

same box,...they are called Layer3 Switches. These are a very good

option,

just be sure to keep separated in your mind the router functionality

from

the switch functionality even though it is happeing in the same box.

How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only

using

the
PPTP protocol. Is it advisable to go to ipsec?

VPN is already encapsulated with just using PPTP,...that's what PPTP

is.

I

have never messed with L2TP/IPSec,...it has never even interested me

or

made

me curious enough to try. Some people love it,...I couldn't care

less

about it. Your choice. I have also never wanted to spend the $$ to

buy

the

Certs to do it and the MS Cert Services is just too big of a hassel

to

mess

with for me.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks,
Ricky




"Phillip Windell" wrote:

You can add two 24bit segments alongside of the existing ones and

migrate

to
the new segments over a period of time. If you can wittle down

the

16bit

segment to less than 254 Hosts and have them grouped into IP#s

that

fall

into a 24bit range,...then all you have to do is change the mask.

At

that

point even the mask can be changed over time because both a 16

and 24

bit

mask would work for those simultanously.

Once the original 16 segment is split into 24bit segments you

could

even

get
rid of the new ones you created that aren't needed anymore. It

is up

to

you
how to deal with that.

Once you are out of the woods with all this,...always keep your

segment

at
254 hosts or less (24bit mask). Ethernet looses effieciency after

about

300
hosts per segment. It is even true with gigbit however it just

isn't

as

noticable to "humans".

IPSec is not meant for running between every Host on a LAN. That

is

horrible. IPSec has a high overhead. It was intended to be used

in a

"point-to-point" situation like maybe a WAN link between two

sites.

IPSec's primary purpose is to prevent "eavesdropping" by Sniffers

by

encrypting the packets. On the Local LAN your Switches already

do

that

by
isolating the session between a pair of "talking" hosts to its

own

"virtual
circuit". You have to specifically configure the Switch with a

Monitoring

Port to use a Sniffer. So you don't need IPSec for that.

You can do "firewall-like" filtering with IPSec too, but you can

do

that

without IPSec anyway, so what's the point? Plus the LAN has to

be

almost

"wide open" just to function normally, so there isn't a lot of

filtering

even possible there.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com




"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in

message

news:9596A79B-CDFF-4E5A-A9D1-B269091F5224@xxxxxxxxxxxxxxxx

Hi,

I have a 16 bit subnet which is hard to administer especially

with

Network
speed.

I disable my ghost because it's a network killer.

Can I do segmentation with 16 bit subnet with another router?

I need also to implement IPSEC. Does this going to be a big

impact

on

it?

Can't change my subnet, it's a big task and additional fees

because

our

integrated VOIP, UNIX and others are already in-placed.

Please advise.

Thanks,
Ricky

.

---

• References:
  • Re: 16 bit subnet segmentation
    • From: RickyVene
  • Re: 16 bit subnet segmentation
    • From: RickyVene
  • Re: 16 bit subnet segmentation
    • From: Neteng
  • Re: 16 bit subnet segmentation
    • From: RickyVene

• Prev by Date: RRAS on ISA 2004 not keeping configs
• Next by Date: Re: RRAS on ISA 2004 not keeping configs
• Previous by thread: Re: 16 bit subnet segmentation
• Next by thread: RRAS on ISA 2004 not keeping configs
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: 16 bit subnet segmentation ... Bridges are just another name for Switches. ... 254 hosts or less. ... IPSec is not meant for running between every Host on a LAN. ... Can I do segmentation with 16 bit subnet with another router? ... (microsoft.public.windows.server.networking) Re: 16 bit subnet segmentation ... Bridges are just another name for Switches. ... Phillip Windell ... IPSec is not meant for running between every Host on a LAN. ... Can I do segmentation with 16 bit subnet with another router? ... (microsoft.public.windows.server.networking) vi problem when TERM=dtterm ... Segmentation Fault ... :/home/users$ uname -a ... I am able to use vi with TERM=dtterm environment on the other hosts. ... (SunManagers)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2006-08