 |
 |
Well, it's still a tried-and-true standard, for most parts of campus. And no, you didn't miss the memo - we still need to draft that memo and circulate it appropriately. There are pros and cons to setting the netmask to the "wide" value, which treats the entire campus as if it were one big subnet, versus setting it to match the actual routing for a given location. A subnet mask of 255.248.0.0 is one that treats all MSU IPs, from 35.8.0.0 through 35.15.255.255, as if they were on one big subnet. The largest advantage of this is that systems out of different subnets (e.g. servers with static 35.8.x.x or 35.9.x.x IPs, v.s. workstations with dynamic 35.10.x.x IPs, v.s. some printers with 35.15.x.x IPs) will all use a common broadcast IP address, 35.15.255.255. A second advantage is that all systems on a local network will communicate directly with each other, and not involve the network router. The disadvantages of this wide subnet mask include: 1. More ARP traffic is generated, in that a given server or workstation will have to send an ARP broadcast for ANY other IP on campus, rather than just those in the local network. This can be a very significant level of broadcast traffic in some areas. 2. The wide netmask relies on the network router supporting the "proxy ARP" feature. Most routers will do so, but there are a number of firewalls which don't. And it's unclear at this point whether proxy ARP will be supportable on the new 10 gig network being deployed over the next year or so. 3. Some local routing functions, especially dealing with VPN systems, do not cope well with the overlapping routing which can be created by the interface routing with the wide subnet mask, v.s. the routes needed for the VPN system. The "correct" netmask to use is one which directly matches the netmask of the local router (or other layer 3 device, e.g. a firewall). In most locations on campus, this would be a /24 netmask, or 255.255.255.0. There are a couple gotchas with making this change, though: 1. The local broadcast IP will not be consistent for servers or workstations which are in different IP subnets, but are on the same local net. This affects some Windows environments, but can generally be resolved with a proper Windows AD setup. 2. Communications between systems on different subnets will be directed through the building router. This leads to some inefficiencies, in that some local traffic may be doubled. This may also require firewall rule changes if a layer 2 firewall is present, and may also interfere with communications to printers or other "unregistered" devics. 3. If you make the change to the netmask, you will also need to change the router (default gateway) address. In most cases, this will be the ".1" address of the local subnet, i.e., if your server's address is 35.8.123.231, then the default gateway would be 35.8.123.1. In any case, the commonly-used address 35.8.2.3 will no longer work. As you can see, there are a number of important considerations involved in making a change to the netmask, and there may be a couple that I have forgotten. We will have to flesh out these points, and communicate them well with the campus community (particularly server/network admins), before we make any large-scale changes. Brian points out that the netmask issue also affects DHCP-assigned addresses as well. I hadn't mentioned it in relation to your problem, in that the MSU campus wireless network is already using the more limited netmask. Within that environment, the issues above are not directly relevant. But it is worth noting that we (ATS) will need to make the netmask change on the DHCP server, along with the changes being done by sysadmins. Doug On Fri, May 29, 2009 at 04:35:28PM -0400, Jon Galbreath wrote: > Agreed! I run everything with that mask. I guess if there was a change, I didn't get the memo either ;-) > > Jon Galbreath > MCSE/Security+ > Systems Administrator > International Studies and Programs > Ph: 517-884-2144 > [log in to unmask] > > > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Hoort, Brian > Sent: Friday, May 29, 2009 4:34 PM > To: [log in to unmask] > Subject: Re: [MSUNAG] Problem with MSUNet Wireless and L2TP over IPSec. > > Only servers? All of our computers are, including those that get their > subnet mask from MSU DHCP. > > Brian Hoort > > > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On > Behalf Of Al Puzzuoli > Sent: Friday, May 29, 2009 4:24 PM > To: [log in to unmask] > Subject: Re: [MSUNAG] Problem with MSUNet Wireless and L2TP over IPSec. > > Hi Doug, > > Yes, I too am curious as to what the new MSU standard is? All the > servers in my domain are currently using 255.248.0.0. > > Thanks, > > Al > > > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On > Behalf Of Doug Nelson > Sent: Friday, May 29, 2009 3:38 PM > To: [log in to unmask] > Subject: Re: [MSUNAG] Problem with MSUNet Wireless and L2TP over IPSec. > > I'm assuming you are using authenticated wireless rather than guess > wireless? One possibility: Check the netmask on the Windows 2003 > server. If it's set to 255.248.0.0 (old MSU standard), that would > likely be the problem. > > Doug > > > On Fri, May 29, 2009 at 03:16:59PM -0400, Al Puzzuoli wrote: > > > I just set up a L2TP over IPSec VPN using Windows 2003 as the VPN > > server, and Vista's built-in dialer on the client side. The server is > > > located on campus in our office at Bessey Hall. Long story short, the > > > connection works flawlessly if I initiate it from home; However, I > > brought the laptop back to campus this morning and tried connecting > > via MSUNet Wireless to no avail. The client never gets a response > > from the server. Are there any special considerations or workarounds > > for the campus network I should be aware of? > > > > Thanks, > > > > Al Puzzuoli > > Michigan State University > > Information Technologist > > http://www.rcpd.msu.edu > > Resource Center for Persons with Disabilities 120 Bessey Hall East > > Lansing, MI 48824-1033 > > 517-884-1915 > > > > -- > > > Doug Nelson, Network Architect | [log in to unmask] > Academic Technology Services | Ph: (517) 353-2980 > Michigan State University | http://www.msu.edu/~nelson/ -- Doug Nelson, Network Architect | [log in to unmask] Academic Technology Services | Ph: (517) 353-2980 Michigan State University | http://www.msu.edu/~nelson/