The L2 broadcast domain would grow...excessive, I suspect. If you've got a campus large enough to require this, you've got enough people and devices that you're probably don't want them all on the same subnet. Again, just guessing. I've never dealt with a network this large - my largest is my current, with ~ a thousand lit switchports.
--Matt On Sun, Apr 7, 2013 at 7:43 AM, David Lang <[email protected]> wrote: > On Sun, 7 Apr 2013, Robert Hajime Lanning wrote: > > On 04/07/13 04:15, David Lang wrote: >> >>> also, as you move from one zone to another, all your connections will >>> drop as the new router won't have them in it's masquerade tables. >>> >> >> Yes, that would be true. I spaced on the NAT state table, though, you >> could probably find a way to sync them, across routers. Depending on the >> router. :) But, definitely not a "supported" feature. >> > > actually, there is the supported libconntrack that can sync these sorts of > things between machines, but it's really aimed at the active/passive > failover. It has no way of handling the case where the destination machine > of the replication has conflicting data in it's state tables. > > i've never set it up, but I've been watching it off and on for a few > years. (I run over a hundred firewall pairs, but failover is infrequent > enough that we've just accepted that when a failover happens connections > get lost rather than the complexity and resulting problems that > implementing this replication would cost) > > > subnet size should not be a problem, very few places need to support >>> more than 64K (/16) users, and even fewer would need more than 16M users >>> (/8) >>> >> >> Just needs to not clash with any other subnet that they need to get to. >> But that is usually easy. >> > > yep. > > > >>> IPv6 is another story... >>>> >>> >>> How would IPv6 change anything here? I don't see IPv4 really being a >>> limit. >>> >> >> Supporting v6 in this method would break some of v6s pieces, I think. >> IPv6 does not like NAT (it can do it, as long as you don't use any of the >> security features.) Remember IPsec is backported from IPv6. IPsec cannot >> be NATed, only tunneled. >> >> I think with IPv6, a single campus wide VLAN would work fine. It has no >> broadcast, only multicast. >> > > usually when people say things like that, they are implying that IPv6 > solves the problem (or at least makes it much easier), so I wanted to check > on what you were meaning :-) > > David Lang > > ______________________________**_________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-**bin/mailman/listinfo/tech<https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech> > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
