Re: IP subnetting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14 Jul 2008 at 11:55, Glynn Clements wrote:
> Beginner wrote:
> 
> The number of addresses in A subnet will always be a power of two;
> you
> can't make a subnet with e.g. 128 - 8 = 120 addresses. If your
> network
> is a /25, and you want to carve out a /29, you would end up with
> at
> least 5 subnets:
> 
> 	/29 + /29 + /28 + /27 + /26
> 	8     8     16    32    64
> 
> That isn't a problem for the router, but configuring the hosts'
> routing tables is likely to be a nuisance (assuming that the DMZ
> hosts
> and non-DMZ host might occasionally want to talk to each other).
> 
> If you configure the hosts to believe that they're on a /25
> subnet,
> they will assume that they can talk directly to the DMZ hosts,
> without
> needing to use a gateway. That will require proxy ARP.
> 
> OTOH, if you split the /25 into 5 subnets as shown above, either
> each
> host will require routes to all of the other subnets, or hosts on
> different subnets will have to route their traffic through the
> gateway, which will significantly increase its load.
> 
> I suspect that you would be better off sticking to a single /25
> network, and adding host routes and proxy-ARP entries for the DMZ
> hosts.
> 
> On the router, you would add a route for your entire /25 network
> through the first interface, and host routes for the individual
> DMZ
> hosts through the second interface. You would also add proxy-ARP
> entries for the DMZ hosts to the first interface, so that the
> non-DMZ
> hosts can act as if the DMZ hosts are on the same network segment.
> 
> Or you could just use private (192.168.* etc) addresses for the
> non-DMZ hosts and have the router perform NAT.


There's quite a lot to take in here. The router is managed by our 
ISP. They suggested 3 options including one to break it into smaller 
networks as you suggest. I want the maintenance and schema of the 
network to be as simple as possible. I have more addresses than I 
need so it seems daft to buy a few more to put on that interface.

I think I favour your idea to assign the lot to the first interface 
and use proxy-ARP and host routes.

Thanx for the explanation.
Dp.

--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux