So you're running three layer 3 networks on a single layer 2 network? ie, if I changed my IP from 192.168.200.5 to 192.168.201.5 I could talk to all the machines on the 192.168.201.0/24 subnet? Is there a reason for this?
How is the router cabled to the switch? What features are you using on the router that can't be performed by the Untangle?
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
What ARP defnses? I have never had to look into it before. As to my time, that is fine with them as long as they do not have to spend hard cash. Penny wise and pound foolish is the order of the day here.Originally Posted by sky-knight
Partially because that is the way it was when I got here. At one time there were separate VLANS and the network was segmented. All of that has been removed. It would probably be better for us to use a CLASS B private network internally given that we have more devices than a Class C can provide.
Technically we have 4 Class Cs, one is for our phone system.
It looks like pfSense will not give me the reporting that I need, so I am going to try Untangle again. The previous post mentioned removing ARP defences on my core switch...but I do not know what they mean by that. I have never had to play with ARP on a Procurve.
A sledgehammer will do the trick on removing the ARP-defenses on the Procurve
But I sure would recommend going to class B internal network.
That's what I did at my previous job (and no, that wasn't the reason I switched jobs).
It makes work so much easier!
You still can devide the devices by using DHCP-reservations.
Just set it up once, and you'll never have to look at it again (or at least, that's the case when you set it up right).
Once again, that's what I did at my previous job, and it all worked out fine!
Went from 7 class C subnets to 1 class B.
I have read the documentation on the procurve, and mine does not seem to have the commands arp-protect, etc (yes I was in config mode) so I cannot even check the status.
Unless you're in a time warp, you don't have any class anythings.You have 4 /24's.
Don't worry about ARP defenses, I'm not sure what he was getting at there.
Untangle is not going to work in your environment as a bridge in the position you're placing it, not with the 2/3rds of the devices disagreeing on what is local and what isn't with the Untangle.
If you can expand the netmask on all your devices to /16, that would be ideal.
1.) You'll stop forcing your router to move packets around
2.) You'll be able to use the Untangle.
If you have DHCP enabled, this should be no more than a weekend's worth of work.
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
If you don't have arp protection features, then don't worry about it.
And Mrunkel I was only pointing it out because I've got some ASAs that freak out with Untangle behind them thanks to layer2 not being maintained.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Most of the desktops are DHCP. We do have a lot of things that are not, like development kits for PS/2 and Xbox360 and servers. I have never just changed the netmask before on a network (I have done the whole network readdress from Class C to Class B).Unless you're in a time warp, you don't have any class anythings.
Don't worry about ARP defenses, I'm not sure what he was getting at there.
Untangle is not going to work in your environment as a bridge in the position you're placing it, not with the 2/3rds of the devices disagreeing on what is local and what isn't with the Untangle.
If you can expand the netmask on all your devices to /16, that would be ideal.
1.) You'll stop forcing your router to move packets around
2.) You'll be able to use the Untangle.
If you have DHCP enabled, this should be no more than a weekend's worth of work.
We do need to come in at some point and rewire much of the office because we have all these little desktop switches around and we want to get rid of as many as possible.
Any chance that by doing this it could improve network performance because things would not have to be routed at the firewall? That would be lots of win
Removing the router may improve performance, it can also make it worse. Right now you have multiple broadcast domains living on a single collision domain. Making everything a single /16 would make a single broadcast domain on a single collision domain.
I doubt layer 2 wise the two configurations make any difference at all. The difference is your stations would all have more broadcast work to do to track all the resources. And Microsoft devices tend to be chatty things on networks, their game consoles included.
You have your work cut out for you.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
If devices from one subnet are communicating with devices in another subnet, then yes, you will instantly gain performance for those links.
Expanding the subnet range should have no other affect. Your just modifying the layer 3 broadcast domain and allowing the two devices to communicate directly instead of through the router.
Your layer 2 broadcast and collision domains are unaltered.
I forsee no if very few problems with this, as long as all the subnet masks are the same.
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
Posting Permissions
LinkBack URL
About LinkBacks
