'Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: [FW1] [FW-1] [Solaris 2.6] DHCP, VLSM thoughts
From:       Marc Mosko <marc () tear ! com>
Date:       1997-05-05 16:54:13
[Download RAW message or body]

Marc D. Jackson wrote:
> 
> Eric Deschamps writes:
> >
> > >
> > > > > 2] How will VLSM make firewalling administration any easier/better ?
> > > > >
> > > >
> > > > No, but it will make it easier to subnet your intranet without
> > > > loosing precious IP addresses to a subnet without enough
> > > > hosts to use all of the addresses.
> > >
> > > ?  I don't understand this last sentence.  My exposure to VLSM indicates
> > > that it has nothing to do with subnetting your intranet.  I ran into
> > > this problem when trying to route with rip.  Specifically, Sun's
> > > implementation of the routing socket interface is not the industry
> > > standard.  In other words, when you use a Sun machine as a multi-homed
> > > host with subnetted networks the rip updates are incorrect.  The routers
> > > that we used had no problems at all in dealing with the subnetted
> > > networks, therefore while we were able to subnet our intranet we had
> > > problems with using Sun's as any type of router.
> > >
> > > mj
> >
> > Marc,
> >
> > It seems that VLSM stands for "variable-length subnet mask", so it looks like
> > it has to do with subnetting your intranet. RIP has no knowledge of subnet
> 
> Perhaps this is a problem with terminology.  On one machine if I have
> 
> 192.168.100.33. 192.168.100.66, 192.168.100.97 all with the subnet mask
> 255.255.255.224 the rip updates from the machine contain information
> about the various subnets.  This would indicate to me that "RIP" *does*
> understand subnetting.  Are you saying that the packets on port 520 are
> *not* RIP updates?
> 
> mj

*Hosts* running RIP understand static subnet masks (/etc/netmasks), but
not variable masks.  EIGRP (cisco) and OSPF are the best candidates for
an internal gateway protocol that support VLSM.

I work with a client who has 5 class Cs subnetted with anything from 224
to 252 subnet masks, intermixed in the same class Cs.  About the only
downside is a bigger routing table if you have the subnets spread out
accross your internetwork since you cannot do summary routes (at least
easily...).  These subnets have very high utilization, usually over 80%.

In respect to a firewall, you can run gated instead of routed.  HP/UX
and IRIX both ship w/ gated (as do others).  Sun still only ships
routed.  Gated will do OSPF.  Firewall-1, for instance, can be
configured to allow OSPF through to the kernel.

-- 
   Marc Mosko                   Email: marc@tear.com
                                Web:   http://www.tear.com/

  "If anyone runs against or falls on a person's weapons so
   that as as result he dies, and it is evident that it is the
   fault of himself alone, then the responsibility shall lie there." 
   -- Leges Henrici Primi (13th century)

           PGP Key available via Public Servers and
               http://www.tear.com/pgp-key.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic