[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IP-aliasing
 Date:  Tue, 27 Dec 2005 21:59:25 -0500
On 12/27/05, Stefan Fuhrmann <stefan at fuhrmann dot homedns dot org> wrote:
> No, its not! Image you have a bigger net assume /17 -net. You want to make
> some subnets. How you want to do this?

The point of subnetting is generally one or a combination of two things:

1) segregating broadcast domains

You don't want more than 254 hosts on a single segment.  Broadcasts
have to be processed by every host on the network, so as you increase
the number of broadcasts, you increase the load on every host on the
segment.  This isn't as big of a deal as it used to be, but it's still
generally not recommended to have more than 254 hosts (a /24).  If you
put multiple IP subnets on the same broadcast domain, you're
eliminating this benefit.

2) security reasons

The other reason is typically security concerns, restricting what can
talk to what.  if you have two networks on the same broadcast domain,
it's very easy to sniff the network and pick up the other subnets in
use via broadcasts, then add IP aliases on the other networks, and be
able to talk to them.

So if you have, say, a /17, there is no reason to subnet that address
space if it's on the same broadcast domain.  Why not just leave it as
a /17?  That's much cleaner, and there isn't any good reason to not do

As for why you can add IP aliases on some network devices, like Cisco
routers, there are enough people that employ bad network design that
they needed it.  ;)  It isn't a suggested way to do things.  Just
because you can do something doesn't mean you should.  Cisco routers
allow this, but Cisco PIX does not.  You have to use one VLAN or one
physical interface per IP subnet on the PIX firewall.