16 bit subnet segmentation

Hi,

I have a 16 bit subnet which is hard to administer especially with Network
speed.

I disable my ghost because it's a network killer.

Can I do segmentation with 16 bit subnet with another router?

I need also to implement IPSEC. Does this going to be a big impact on it?

Can't change my subnet, it's a big task and additional fees because our
integrated VOIP, UNIX and others are already in-placed.

Please advise.

Thanks,
Ricky

You can add two 24bit segments alongside of the existing ones and migrate to
the new segments over a period of time. If you can wittle down the 16bit
segment to less than 254 Hosts and have them grouped into IP#s that fall
into a 24bit range,...then all you have to do is change the mask. At that
point even the mask can be changed over time because both a 16 and 24 bit
mask would work for those simultanously.

Once the original 16 segment is split into 24bit segments you could even get
rid of the new ones you created that aren't needed anymore. It is up to you
how to deal with that.

Once you are out of the woods with all this,...always keep your segment at
254 hosts or less (24bit mask). Ethernet looses effieciency after about 300
hosts per segment. It is even true with gigbit however it just isn't as
noticable to "humans".

IPSec is not meant for running between every Host on a LAN. That is
horrible. IPSec has a high overhead. It was intended to be used in a
"point-to-point" situation like maybe a WAN link between two sites.

IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
encrypting the packets. On the Local LAN your Switches already do that by
isolating the session between a pair of "talking" hosts to its own "virtual
circuit". You have to specifically configure the Switch with a Monitoring
Port to use a Sniffer. So you don't need IPSec for that.

You can do "firewall-like" filtering with IPSec too, but you can do that
without IPSec anyway, so what's the point? Plus the LAN has to be almost
"wide open" just to function normally, so there isn't a lot of filtering
even possible there.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com




"RickyVene" <(E-Mail Removed)> wrote in message
news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> Hi,
>
> I have a 16 bit subnet which is hard to administer especially with Network
> speed.
>
> I disable my ghost because it's a network killer.
>
> Can I do segmentation with 16 bit subnet with another router?
>
> I need also to implement IPSEC. Does this going to be a big impact on it?
>
> Can't change my subnet, it's a big task and additional fees because our
> integrated VOIP, UNIX and others are already in-placed.
>
> Please advise.
>
> Thanks,
> Ricky

I'll try that segmentation, but what is the best way to do that? By bridges
or by router segmentation.

How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using the
PPTP protocol. Is it advisable to go to ipsec?

Thanks,
Ricky




"Phillip Windell" wrote:

> You can add two 24bit segments alongside of the existing ones and migrate to
> the new segments over a period of time. If you can wittle down the 16bit
> segment to less than 254 Hosts and have them grouped into IP#s that fall
> into a 24bit range,...then all you have to do is change the mask. At that
> point even the mask can be changed over time because both a 16 and 24 bit
> mask would work for those simultanously.
>
> Once the original 16 segment is split into 24bit segments you could even get
> rid of the new ones you created that aren't needed anymore. It is up to you
> how to deal with that.
>
> Once you are out of the woods with all this,...always keep your segment at
> 254 hosts or less (24bit mask). Ethernet looses effieciency after about 300
> hosts per segment. It is even true with gigbit however it just isn't as
> noticable to "humans".
>
> IPSec is not meant for running between every Host on a LAN. That is
> horrible. IPSec has a high overhead. It was intended to be used in a
> "point-to-point" situation like maybe a WAN link between two sites.
>
> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
> encrypting the packets. On the Local LAN your Switches already do that by
> isolating the session between a pair of "talking" hosts to its own "virtual
> circuit". You have to specifically configure the Switch with a Monitoring
> Port to use a Sniffer. So you don't need IPSec for that.
>
> You can do "firewall-like" filtering with IPSec too, but you can do that
> without IPSec anyway, so what's the point? Plus the LAN has to be almost
> "wide open" just to function normally, so there isn't a lot of filtering
> even possible there.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
>
> "RickyVene" <(E-Mail Removed)> wrote in message
> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> > Hi,
> >
> > I have a 16 bit subnet which is hard to administer especially with Network
> > speed.
> >
> > I disable my ghost because it's a network killer.
> >
> > Can I do segmentation with 16 bit subnet with another router?
> >
> > I need also to implement IPSEC. Does this going to be a big impact on it?
> >
> > Can't change my subnet, it's a big task and additional fees because our
> > integrated VOIP, UNIX and others are already in-placed.
> >
> > Please advise.
> >
> > Thanks,
> > Ricky
>
>
>

"RickyVene" <(E-Mail Removed)> wrote in message
news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> I'll try that segmentation, but what is the best way to do that? By
> bridges
> or by router segmentation.

Bridges are just another name for Switches. Switches are Layer2. Segmenting
is Layer3, Routers are Layer3,...so you have to use a Router. There are a
lot of devices being sold now that are both a Router and a Switch in the
same box,...they are called Layer3 Switches. These are a very good option,
just be sure to keep separated in your mind the router functionality from
the switch functionality even though it is happeing in the same box.

> How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using
> the
> PPTP protocol. Is it advisable to go to ipsec?

VPN is already encapsulated with just using PPTP,...that's what PPTP is. I
have never messed with L2TP/IPSec,...it has never even interested me or made
me curious enough to try. Some people love it,...I couldn't care less
about it. Your choice. I have also never wanted to spend the $$ to buy the
Certs to do it and the MS Cert Services is just too big of a hassel to mess
with for me.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

>
> Thanks,
> Ricky
>
>
>
>
> "Phillip Windell" wrote:
>
>> You can add two 24bit segments alongside of the existing ones and migrate
>> to
>> the new segments over a period of time. If you can wittle down the 16bit
>> segment to less than 254 Hosts and have them grouped into IP#s that fall
>> into a 24bit range,...then all you have to do is change the mask. At that
>> point even the mask can be changed over time because both a 16 and 24 bit
>> mask would work for those simultanously.
>>
>> Once the original 16 segment is split into 24bit segments you could even
>> get
>> rid of the new ones you created that aren't needed anymore. It is up to
>> you
>> how to deal with that.
>>
>> Once you are out of the woods with all this,...always keep your segment
>> at
>> 254 hosts or less (24bit mask). Ethernet looses effieciency after about
>> 300
>> hosts per segment. It is even true with gigbit however it just isn't as
>> noticable to "humans".
>>
>> IPSec is not meant for running between every Host on a LAN. That is
>> horrible. IPSec has a high overhead. It was intended to be used in a
>> "point-to-point" situation like maybe a WAN link between two sites.
>>
>> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
>> encrypting the packets. On the Local LAN your Switches already do that
>> by
>> isolating the session between a pair of "talking" hosts to its own
>> "virtual
>> circuit". You have to specifically configure the Switch with a Monitoring
>> Port to use a Sniffer. So you don't need IPSec for that.
>>
>> You can do "firewall-like" filtering with IPSec too, but you can do that
>> without IPSec anyway, so what's the point? Plus the LAN has to be almost
>> "wide open" just to function normally, so there isn't a lot of filtering
>> even possible there.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>>
>>
>> "RickyVene" <(E-Mail Removed)> wrote in message
>> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
>> > Hi,
>> >
>> > I have a 16 bit subnet which is hard to administer especially with
>> > Network
>> > speed.
>> >
>> > I disable my ghost because it's a network killer.
>> >
>> > Can I do segmentation with 16 bit subnet with another router?
>> >
>> > I need also to implement IPSEC. Does this going to be a big impact on
>> > it?
>> >
>> > Can't change my subnet, it's a big task and additional fees because our
>> > integrated VOIP, UNIX and others are already in-placed.
>> >
>> > Please advise.
>> >
>> > Thanks,
>> > Ricky
>>
>>
>>

Certs are not required for IPSec/L2TP. IPSec provides stronger encryption,
better security, and outperforms PPTP.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "RickyVene" <(E-Mail Removed)> wrote in message
> news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> > I'll try that segmentation, but what is the best way to do that? By
> > bridges
> > or by router segmentation.
>
> Bridges are just another name for Switches. Switches are Layer2.
Segmenting
> is Layer3, Routers are Layer3,...so you have to use a Router. There are a
> lot of devices being sold now that are both a Router and a Switch in the
> same box,...they are called Layer3 Switches. These are a very good option,
> just be sure to keep separated in your mind the router functionality from
> the switch functionality even though it is happeing in the same box.
>
> > How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using
> > the
> > PPTP protocol. Is it advisable to go to ipsec?
>
> VPN is already encapsulated with just using PPTP,...that's what PPTP is.
I
> have never messed with L2TP/IPSec,...it has never even interested me or
made
> me curious enough to try. Some people love it,...I couldn't care less
> about it. Your choice. I have also never wanted to spend the $$ to buy
the
> Certs to do it and the MS Cert Services is just too big of a hassel to
mess
> with for me.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> >
> > Thanks,
> > Ricky
> >
> >
> >
> >
> > "Phillip Windell" wrote:
> >
> >> You can add two 24bit segments alongside of the existing ones and
migrate
> >> to
> >> the new segments over a period of time. If you can wittle down the
16bit
> >> segment to less than 254 Hosts and have them grouped into IP#s that
fall
> >> into a 24bit range,...then all you have to do is change the mask. At
that
> >> point even the mask can be changed over time because both a 16 and 24
bit
> >> mask would work for those simultanously.
> >>
> >> Once the original 16 segment is split into 24bit segments you could
even
> >> get
> >> rid of the new ones you created that aren't needed anymore. It is up
to
> >> you
> >> how to deal with that.
> >>
> >> Once you are out of the woods with all this,...always keep your segment
> >> at
> >> 254 hosts or less (24bit mask). Ethernet looses effieciency after about
> >> 300
> >> hosts per segment. It is even true with gigbit however it just isn't as
> >> noticable to "humans".
> >>
> >> IPSec is not meant for running between every Host on a LAN. That is
> >> horrible. IPSec has a high overhead. It was intended to be used in a
> >> "point-to-point" situation like maybe a WAN link between two sites.
> >>
> >> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
> >> encrypting the packets. On the Local LAN your Switches already do that
> >> by
> >> isolating the session between a pair of "talking" hosts to its own
> >> "virtual
> >> circuit". You have to specifically configure the Switch with a
Monitoring
> >> Port to use a Sniffer. So you don't need IPSec for that.
> >>
> >> You can do "firewall-like" filtering with IPSec too, but you can do
that
> >> without IPSec anyway, so what's the point? Plus the LAN has to be
almost
> >> "wide open" just to function normally, so there isn't a lot of
filtering
> >> even possible there.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >>
> >>
> >>
> >>
> >> "RickyVene" <(E-Mail Removed)> wrote in message
> >> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> >> > Hi,
> >> >
> >> > I have a 16 bit subnet which is hard to administer especially with
> >> > Network
> >> > speed.
> >> >
> >> > I disable my ghost because it's a network killer.
> >> >
> >> > Can I do segmentation with 16 bit subnet with another router?
> >> >
> >> > I need also to implement IPSEC. Does this going to be a big impact
on
> >> > it?
> >> >
> >> > Can't change my subnet, it's a big task and additional fees because
our
> >> > integrated VOIP, UNIX and others are already in-placed.
> >> >
> >> > Please advise.
> >> >
> >> > Thanks,
> >> > Ricky
> >>
> >>
> >>
>
>

Are you saying that 16 bit segments can communicate with 24 bits? By what
devices I need to use?

Please advise more.

Thanks,
Ricky

"Phillip Windell" wrote:

> "RickyVene" <(E-Mail Removed)> wrote in message
> news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> > I'll try that segmentation, but what is the best way to do that? By
> > bridges
> > or by router segmentation.
>
> Bridges are just another name for Switches. Switches are Layer2. Segmenting
> is Layer3, Routers are Layer3,...so you have to use a Router. There are a
> lot of devices being sold now that are both a Router and a Switch in the
> same box,...they are called Layer3 Switches. These are a very good option,
> just be sure to keep separated in your mind the router functionality from
> the switch functionality even though it is happeing in the same box.
>
> > How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only using
> > the
> > PPTP protocol. Is it advisable to go to ipsec?
>
> VPN is already encapsulated with just using PPTP,...that's what PPTP is. I
> have never messed with L2TP/IPSec,...it has never even interested me or made
> me curious enough to try. Some people love it,...I couldn't care less
> about it. Your choice. I have also never wanted to spend the $$ to buy the
> Certs to do it and the MS Cert Services is just too big of a hassel to mess
> with for me.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> >
> > Thanks,
> > Ricky
> >
> >
> >
> >
> > "Phillip Windell" wrote:
> >
> >> You can add two 24bit segments alongside of the existing ones and migrate
> >> to
> >> the new segments over a period of time. If you can wittle down the 16bit
> >> segment to less than 254 Hosts and have them grouped into IP#s that fall
> >> into a 24bit range,...then all you have to do is change the mask. At that
> >> point even the mask can be changed over time because both a 16 and 24 bit
> >> mask would work for those simultanously.
> >>
> >> Once the original 16 segment is split into 24bit segments you could even
> >> get
> >> rid of the new ones you created that aren't needed anymore. It is up to
> >> you
> >> how to deal with that.
> >>
> >> Once you are out of the woods with all this,...always keep your segment
> >> at
> >> 254 hosts or less (24bit mask). Ethernet looses effieciency after about
> >> 300
> >> hosts per segment. It is even true with gigbit however it just isn't as
> >> noticable to "humans".
> >>
> >> IPSec is not meant for running between every Host on a LAN. That is
> >> horrible. IPSec has a high overhead. It was intended to be used in a
> >> "point-to-point" situation like maybe a WAN link between two sites.
> >>
> >> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
> >> encrypting the packets. On the Local LAN your Switches already do that
> >> by
> >> isolating the session between a pair of "talking" hosts to its own
> >> "virtual
> >> circuit". You have to specifically configure the Switch with a Monitoring
> >> Port to use a Sniffer. So you don't need IPSec for that.
> >>
> >> You can do "firewall-like" filtering with IPSec too, but you can do that
> >> without IPSec anyway, so what's the point? Plus the LAN has to be almost
> >> "wide open" just to function normally, so there isn't a lot of filtering
> >> even possible there.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >>
> >>
> >>
> >>
> >> "RickyVene" <(E-Mail Removed)> wrote in message
> >> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> >> > Hi,
> >> >
> >> > I have a 16 bit subnet which is hard to administer especially with
> >> > Network
> >> > speed.
> >> >
> >> > I disable my ghost because it's a network killer.
> >> >
> >> > Can I do segmentation with 16 bit subnet with another router?
> >> >
> >> > I need also to implement IPSEC. Does this going to be a big impact on
> >> > it?
> >> >
> >> > Can't change my subnet, it's a big task and additional fees because our
> >> > integrated VOIP, UNIX and others are already in-placed.
> >> >
> >> > Please advise.
> >> >
> >> > Thanks,
> >> > Ricky
> >>
> >>
> >>
>
>
>

As Phillip mentioned, a router.

"RickyVene" <(E-Mail Removed)> wrote in message
news:8FDAC361-3975-436A-9BC3-(E-Mail Removed)...
> Are you saying that 16 bit segments can communicate with 24 bits? By what
> devices I need to use?
>
> Please advise more.
>
> Thanks,
> Ricky
>
> "Phillip Windell" wrote:
>
> > "RickyVene" <(E-Mail Removed)> wrote in message
> > news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> > > I'll try that segmentation, but what is the best way to do that? By
> > > bridges
> > > or by router segmentation.
> >
> > Bridges are just another name for Switches. Switches are Layer2.
Segmenting
> > is Layer3, Routers are Layer3,...so you have to use a Router. There are
a
> > lot of devices being sold now that are both a Router and a Switch in the
> > same box,...they are called Layer3 Switches. These are a very good
option,
> > just be sure to keep separated in your mind the router functionality
from
> > the switch functionality even though it is happeing in the same box.
> >
> > > How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only
using
> > > the
> > > PPTP protocol. Is it advisable to go to ipsec?
> >
> > VPN is already encapsulated with just using PPTP,...that's what PPTP is.
I
> > have never messed with L2TP/IPSec,...it has never even interested me or
made
> > me curious enough to try. Some people love it,...I couldn't care less
> > about it. Your choice. I have also never wanted to spend the $$ to buy
the
> > Certs to do it and the MS Cert Services is just too big of a hassel to
mess
> > with for me.
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> > >
> > > Thanks,
> > > Ricky
> > >
> > >
> > >
> > >
> > > "Phillip Windell" wrote:
> > >
> > >> You can add two 24bit segments alongside of the existing ones and
migrate
> > >> to
> > >> the new segments over a period of time. If you can wittle down the
16bit
> > >> segment to less than 254 Hosts and have them grouped into IP#s that
fall
> > >> into a 24bit range,...then all you have to do is change the mask. At
that
> > >> point even the mask can be changed over time because both a 16 and 24
bit
> > >> mask would work for those simultanously.
> > >>
> > >> Once the original 16 segment is split into 24bit segments you could
even
> > >> get
> > >> rid of the new ones you created that aren't needed anymore. It is up
to
> > >> you
> > >> how to deal with that.
> > >>
> > >> Once you are out of the woods with all this,...always keep your
segment
> > >> at
> > >> 254 hosts or less (24bit mask). Ethernet looses effieciency after
about
> > >> 300
> > >> hosts per segment. It is even true with gigbit however it just isn't
as
> > >> noticable to "humans".
> > >>
> > >> IPSec is not meant for running between every Host on a LAN. That is
> > >> horrible. IPSec has a high overhead. It was intended to be used in a
> > >> "point-to-point" situation like maybe a WAN link between two sites.
> > >>
> > >> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
> > >> encrypting the packets. On the Local LAN your Switches already do
that
> > >> by
> > >> isolating the session between a pair of "talking" hosts to its own
> > >> "virtual
> > >> circuit". You have to specifically configure the Switch with a
Monitoring
> > >> Port to use a Sniffer. So you don't need IPSec for that.
> > >>
> > >> You can do "firewall-like" filtering with IPSec too, but you can do
that
> > >> without IPSec anyway, so what's the point? Plus the LAN has to be
almost
> > >> "wide open" just to function normally, so there isn't a lot of
filtering
> > >> even possible there.
> > >>
> > >> --
> > >> Phillip Windell [MCP, MVP, CCNA]
> > >> www.wandtv.com
> > >>
> > >>
> > >>
> > >>
> > >> "RickyVene" <(E-Mail Removed)> wrote in message
> > >> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> > >> > Hi,
> > >> >
> > >> > I have a 16 bit subnet which is hard to administer especially with
> > >> > Network
> > >> > speed.
> > >> >
> > >> > I disable my ghost because it's a network killer.
> > >> >
> > >> > Can I do segmentation with 16 bit subnet with another router?
> > >> >
> > >> > I need also to implement IPSEC. Does this going to be a big impact
on
> > >> > it?
> > >> >
> > >> > Can't change my subnet, it's a big task and additional fees because
our
> > >> > integrated VOIP, UNIX and others are already in-placed.
> > >> >
> > >> > Please advise.
> > >> >
> > >> > Thanks,
> > >> > Ricky
> > >>
> > >>
> > >>
> >
> >
> >

Can you tell me the basic connections? I have ISA 2004 edge firewall. So
how I connect this on the internal?

Thanks,
Ricky

"Neteng" wrote:

> As Phillip mentioned, a router.
>
> "RickyVene" <(E-Mail Removed)> wrote in message
> news:8FDAC361-3975-436A-9BC3-(E-Mail Removed)...
> > Are you saying that 16 bit segments can communicate with 24 bits? By what
> > devices I need to use?
> >
> > Please advise more.
> >
> > Thanks,
> > Ricky
> >
> > "Phillip Windell" wrote:
> >
> > > "RickyVene" <(E-Mail Removed)> wrote in message
> > > news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> > > > I'll try that segmentation, but what is the best way to do that? By
> > > > bridges
> > > > or by router segmentation.
> > >
> > > Bridges are just another name for Switches. Switches are Layer2.
> Segmenting
> > > is Layer3, Routers are Layer3,...so you have to use a Router. There are
> a
> > > lot of devices being sold now that are both a Router and a Switch in the
> > > same box,...they are called Layer3 Switches. These are a very good
> option,
> > > just be sure to keep separated in your mind the router functionality
> from
> > > the switch functionality even though it is happeing in the same box.
> > >
> > > > How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only
> using
> > > > the
> > > > PPTP protocol. Is it advisable to go to ipsec?
> > >
> > > VPN is already encapsulated with just using PPTP,...that's what PPTP is.
> I
> > > have never messed with L2TP/IPSec,...it has never even interested me or
> made
> > > me curious enough to try. Some people love it,...I couldn't care less
> > > about it. Your choice. I have also never wanted to spend the $$ to buy
> the
> > > Certs to do it and the MS Cert Services is just too big of a hassel to
> mess
> > > with for me.
> > >
> > > --
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > >
> > > >
> > > > Thanks,
> > > > Ricky
> > > >
> > > >
> > > >
> > > >
> > > > "Phillip Windell" wrote:
> > > >
> > > >> You can add two 24bit segments alongside of the existing ones and
> migrate
> > > >> to
> > > >> the new segments over a period of time. If you can wittle down the
> 16bit
> > > >> segment to less than 254 Hosts and have them grouped into IP#s that
> fall
> > > >> into a 24bit range,...then all you have to do is change the mask. At
> that
> > > >> point even the mask can be changed over time because both a 16 and 24
> bit
> > > >> mask would work for those simultanously.
> > > >>
> > > >> Once the original 16 segment is split into 24bit segments you could
> even
> > > >> get
> > > >> rid of the new ones you created that aren't needed anymore. It is up
> to
> > > >> you
> > > >> how to deal with that.
> > > >>
> > > >> Once you are out of the woods with all this,...always keep your
> segment
> > > >> at
> > > >> 254 hosts or less (24bit mask). Ethernet looses effieciency after
> about
> > > >> 300
> > > >> hosts per segment. It is even true with gigbit however it just isn't
> as
> > > >> noticable to "humans".
> > > >>
> > > >> IPSec is not meant for running between every Host on a LAN. That is
> > > >> horrible. IPSec has a high overhead. It was intended to be used in a
> > > >> "point-to-point" situation like maybe a WAN link between two sites.
> > > >>
> > > >> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers by
> > > >> encrypting the packets. On the Local LAN your Switches already do
> that
> > > >> by
> > > >> isolating the session between a pair of "talking" hosts to its own
> > > >> "virtual
> > > >> circuit". You have to specifically configure the Switch with a
> Monitoring
> > > >> Port to use a Sniffer. So you don't need IPSec for that.
> > > >>
> > > >> You can do "firewall-like" filtering with IPSec too, but you can do
> that
> > > >> without IPSec anyway, so what's the point? Plus the LAN has to be
> almost
> > > >> "wide open" just to function normally, so there isn't a lot of
> filtering
> > > >> even possible there.
> > > >>
> > > >> --
> > > >> Phillip Windell [MCP, MVP, CCNA]
> > > >> www.wandtv.com
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> "RickyVene" <(E-Mail Removed)> wrote in message
> > > >> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> > > >> > Hi,
> > > >> >
> > > >> > I have a 16 bit subnet which is hard to administer especially with
> > > >> > Network
> > > >> > speed.
> > > >> >
> > > >> > I disable my ghost because it's a network killer.
> > > >> >
> > > >> > Can I do segmentation with 16 bit subnet with another router?
> > > >> >
> > > >> > I need also to implement IPSEC. Does this going to be a big impact
> on
> > > >> > it?
> > > >> >
> > > >> > Can't change my subnet, it's a big task and additional fees because
> our
> > > >> > integrated VOIP, UNIX and others are already in-placed.
> > > >> >
> > > >> > Please advise.
> > > >> >
> > > >> > Thanks,
> > > >> > Ricky
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
>
>
>

You'll need another NIC in the ISA box or you'll need to buy a router.

"RickyVene" <(E-Mail Removed)> wrote in message
news:E22363D1-A5A0-4323-BA5D-(E-Mail Removed)...
> Can you tell me the basic connections? I have ISA 2004 edge firewall. So
> how I connect this on the internal?
>
> Thanks,
> Ricky
>
> "Neteng" wrote:
>
> > As Phillip mentioned, a router.
> >
> > "RickyVene" <(E-Mail Removed)> wrote in message
> > news:8FDAC361-3975-436A-9BC3-(E-Mail Removed)...
> > > Are you saying that 16 bit segments can communicate with 24 bits? By
what
> > > devices I need to use?
> > >
> > > Please advise more.
> > >
> > > Thanks,
> > > Ricky
> > >
> > > "Phillip Windell" wrote:
> > >
> > > > "RickyVene" <(E-Mail Removed)> wrote in message
> > > > news:07E26D90-19FA-4317-B453-(E-Mail Removed)...
> > > > > I'll try that segmentation, but what is the best way to do that?
By
> > > > > bridges
> > > > > or by router segmentation.
> > > >
> > > > Bridges are just another name for Switches. Switches are Layer2.
> > Segmenting
> > > > is Layer3, Routers are Layer3,...so you have to use a Router. There
are
> > a
> > > > lot of devices being sold now that are both a Router and a Switch in
the
> > > > same box,...they are called Layer3 Switches. These are a very good
> > option,
> > > > just be sure to keep separated in your mind the router functionality
> > from
> > > > the switch functionality even though it is happeing in the same box.
> > > >
> > > > > How about the L2TP/IPSEC for VPN on ISA 2004? Right now, I'm only
> > using
> > > > > the
> > > > > PPTP protocol. Is it advisable to go to ipsec?
> > > >
> > > > VPN is already encapsulated with just using PPTP,...that's what PPTP
is.
> > I
> > > > have never messed with L2TP/IPSec,...it has never even interested me
or
> > made
> > > > me curious enough to try. Some people love it,...I couldn't care
less
> > > > about it. Your choice. I have also never wanted to spend the $$ to
buy
> > the
> > > > Certs to do it and the MS Cert Services is just too big of a hassel
to
> > mess
> > > > with for me.
> > > >
> > > > --
> > > > Phillip Windell [MCP, MVP, CCNA]
> > > > www.wandtv.com
> > > >
> > > > >
> > > > > Thanks,
> > > > > Ricky
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Phillip Windell" wrote:
> > > > >
> > > > >> You can add two 24bit segments alongside of the existing ones and
> > migrate
> > > > >> to
> > > > >> the new segments over a period of time. If you can wittle down
the
> > 16bit
> > > > >> segment to less than 254 Hosts and have them grouped into IP#s
that
> > fall
> > > > >> into a 24bit range,...then all you have to do is change the mask.
At
> > that
> > > > >> point even the mask can be changed over time because both a 16
and 24
> > bit
> > > > >> mask would work for those simultanously.
> > > > >>
> > > > >> Once the original 16 segment is split into 24bit segments you
could
> > even
> > > > >> get
> > > > >> rid of the new ones you created that aren't needed anymore. It
is up
> > to
> > > > >> you
> > > > >> how to deal with that.
> > > > >>
> > > > >> Once you are out of the woods with all this,...always keep your
> > segment
> > > > >> at
> > > > >> 254 hosts or less (24bit mask). Ethernet looses effieciency after
> > about
> > > > >> 300
> > > > >> hosts per segment. It is even true with gigbit however it just
isn't
> > as
> > > > >> noticable to "humans".
> > > > >>
> > > > >> IPSec is not meant for running between every Host on a LAN. That
is
> > > > >> horrible. IPSec has a high overhead. It was intended to be used
in a
> > > > >> "point-to-point" situation like maybe a WAN link between two
sites.
> > > > >>
> > > > >> IPSec's primary purpose is to prevent "eavesdropping" by Sniffers
by
> > > > >> encrypting the packets. On the Local LAN your Switches already
do
> > that
> > > > >> by
> > > > >> isolating the session between a pair of "talking" hosts to its
own
> > > > >> "virtual
> > > > >> circuit". You have to specifically configure the Switch with a
> > Monitoring
> > > > >> Port to use a Sniffer. So you don't need IPSec for that.
> > > > >>
> > > > >> You can do "firewall-like" filtering with IPSec too, but you can
do
> > that
> > > > >> without IPSec anyway, so what's the point? Plus the LAN has to
be
> > almost
> > > > >> "wide open" just to function normally, so there isn't a lot of
> > filtering
> > > > >> even possible there.
> > > > >>
> > > > >> --
> > > > >> Phillip Windell [MCP, MVP, CCNA]
> > > > >> www.wandtv.com
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> "RickyVene" <(E-Mail Removed)> wrote in
message
> > > > >> news:9596A79B-CDFF-4E5A-A9D1-(E-Mail Removed)...
> > > > >> > Hi,
> > > > >> >
> > > > >> > I have a 16 bit subnet which is hard to administer especially
with
> > > > >> > Network
> > > > >> > speed.
> > > > >> >
> > > > >> > I disable my ghost because it's a network killer.
> > > > >> >
> > > > >> > Can I do segmentation with 16 bit subnet with another router?
> > > > >> >
> > > > >> > I need also to implement IPSEC. Does this going to be a big
impact
> > on
> > > > >> > it?
> > > > >> >
> > > > >> > Can't change my subnet, it's a big task and additional fees
because
> > our
> > > > >> > integrated VOIP, UNIX and others are already in-placed.
> > > > >> >
> > > > >> > Please advise.
> > > > >> >
> > > > >> > Thanks,
> > > > >> > Ricky
> > > > >>
> > > > >>
> > > > >>
> > > >
> > > >
> > > >
> >
> >
> >

"Neteng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Certs are not required for IPSec/L2TP. IPSec provides stronger encryption,
> better security, and outperforms PPTP.

That's true. But it has higher overhead, I doubt it outperforms PPTP. The
security would be better than PPTP, but I still think PPTP is plenty good
enough.
Sorry, I didn't realize Certs weren't required.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com