16 bit subnet segmentation

Discussion in 'Server Networking' started by RickyVene, Aug 28, 2006.

  1. RickyVene

    RickyVene Guest

    Hi,

    I have a 16 bit subnet which is hard to administer especially with Network
    speed.

    I disable my ghost because it's a network killer.

    Can I do segmentation with 16 bit subnet with another router?

    I need also to implement IPSEC. Does this going to be a big impact on it?

    Can't change my subnet, it's a big task and additional fees because our
    integrated VOIP, UNIX and others are already in-placed.

    Please advise.

    Thanks,
    Ricky
     
    RickyVene, Aug 28, 2006
    #1
    1. Advertisements

  2. You can add two 24bit segments alongside of the existing ones and migrate to
    the new segments over a period of time. If you can wittle down the 16bit
    segment to less than 254 Hosts and have them grouped into IP#s that fall
    into a 24bit range,...then all you have to do is change the mask. At that
    point even the mask can be changed over time because both a 16 and 24 bit
    mask would work for those simultanously.

    Once the original 16 segment is split into 24bit segments you could even get
    rid of the new ones you created that aren't needed anymore. It is up to you
    how to deal with that.

    Once you are out of the woods with all this,...always keep your segment at
    254 hosts or less (24bit mask). Ethernet looses effieciency after about 300
    hosts per segment. It is even true with gigbit however it just isn't as
    noticable to "humans".

    IPSec is not meant for running between every Host on a LAN. That is
    horrible. IPSec has a high overhead. It was intended to be used in a
    "point-to-point" situation like maybe a WAN link between two sites.

    IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
    encrypting the packets. On the Local LAN your Switches already do that by
    isolating the session between a pair of "talking" hosts to its own "virtual
    circuit". You have to specifically configure the Switch with a Monitoring
    Port to use a Sniffer. So you don't need IPSec for that.

    You can do "firewall-like" filtering with IPSec too, but you can do that
    without IPSec anyway, so what's the point? Plus the LAN has to be almost
    "wide open" just to function normally, so there isn't a lot of filtering
    even possible there.
     
    Phillip Windell, Aug 28, 2006
    #2
    1. Advertisements

  3. RickyVene

    RickyVene Guest

    I'll try that segmentation, but what is the best way to do that? By bridges
    or by router segmentation.

    How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using the
    PPTP protocol. Is it advisable to go to ipsec?

    Thanks,
    Ricky




     
    RickyVene, Aug 28, 2006
    #3
  4. Bridges are just another name for Switches. Switches are Layer2. Segmenting
    is Layer3, Routers are Layer3,...so you have to use a Router. There are a
    lot of devices being sold now that are both a Router and a Switch in the
    same box,...they are called Layer3 Switches. These are a very good option,
    just be sure to keep separated in your mind the router functionality from
    the switch functionality even though it is happeing in the same box.
    VPN is already encapsulated with just using PPTP,...that's what PPTP is. I
    have never messed with L2TP/IPSec,...it has never even interested me or made
    me curious enough to try. Some people love it,...I couldn't care less
    about it. Your choice. I have also never wanted to spend the $$ to buy the
    Certs to do it and the MS Cert Services is just too big of a hassel to mess
    with for me.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
     
    Phillip Windell, Aug 29, 2006
    #4
  5. RickyVene

    Neteng Guest

    Certs are not required for IPSec/L2TP. IPSec provides stronger encryption,
    better security, and outperforms PPTP.

     
    Neteng, Aug 29, 2006
    #5
  6. RickyVene

    RickyVene Guest

    Are you saying that 16 bit segments can communicate with 24 bits? By what
    devices I need to use?

    Please advise more.

    Thanks,
    Ricky

     
    RickyVene, Aug 29, 2006
    #6
  7. RickyVene

    Neteng Guest

    As Phillip mentioned, a router.

     
    Neteng, Aug 29, 2006
    #7
  8. RickyVene

    RickyVene Guest

    Can you tell me the basic connections? I have ISA 2004 edge firewall. So
    how I connect this on the internal?

    Thanks,
    Ricky

     
    RickyVene, Aug 29, 2006
    #8
  9. RickyVene

    Neteng Guest

    You'll need another NIC in the ISA box or you'll need to buy a router.

     
    Neteng, Aug 29, 2006
    #9
  10. That's true. But it has higher overhead, I doubt it outperforms PPTP. The
    security would be better than PPTP, but I still think PPTP is plenty good
    enough.
    Sorry, I didn't realize Certs weren't required.
     
    Phillip Windell, Aug 29, 2006
    #10
  11. You must have totally misunderstood what I said. Just re-read it,...I don't
    want to type it all over again.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Aug 29, 2006
    #11
  12. Re-read my first post.
    Everything is there if you take the time to understand it.

    As far as 24bit & 16bit,...I did not say the two networks would interact
    without a router,...I said a 24bit and 16bit *masks* could live together
    *temporarily* if all the machines IP#s fit within the smaller 24bit range.
    This would only be temporary until all the 16bit *masks* were changed to
    24bit masks. I probably shouldn't have even mentioned it. Someone who
    already understood the stuff would know just what I meant but someone who
    doesn't would only be confused.


    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com




     
    Phillip Windell, Aug 29, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.