Справочник Пользователя для Black Box ET1000A
Advanced Uses for Networks in Policies
EncrypTight User Guide
161
clear.
ETPM accepts non-contiguous network masks, which allow you to create policies between particular
addresses in your network. For example, a network of 10.0.0.1 with a mask of 255.0.0.255 allows all
devices with an IP address of 10.x.x.1 to be managed by a particular policy. This feature is available only
with ETEP PEPs. See
addresses in your network. For example, a network of 10.0.0.1 with a mask of 255.0.0.255 allows all
devices with an IP address of 10.x.x.1 to be managed by a particular policy. This feature is available only
with ETEP PEPs. See
for more information.
Advanced Uses for Networks in Policies
If you are familiar with network addressing and network masks, you can use subnetting to make your
policies more efficient.
policies more efficient.
●
Use supernetting to reduce the number of SAs and keys on each PEP in large deployments.
●
Use non-contiguous network masks to apply policies to a specific IP address scheme.
Grouping Networks into Supernets
Working with large networks, a considerable number of security associations (SAs) and keys can result
on each PEP. One way to avoid this is to look for subnetworks within each network set that have
contiguous addressing. You can combine these subnets to reduce the number of SAs and keys on each
PEP.
on each PEP. One way to avoid this is to look for subnetworks within each network set that have
contiguous addressing. You can combine these subnets to reduce the number of SAs and keys on each
PEP.
In
, if you set up each of these networks as a separate network in ETPM, and the policy
encrypts traffic between these two networks and five other networks, the PEP for this network set would
contain 10 SAs and keys for each direction.
contain 10 SAs and keys for each direction.
Figure 55
Two networks with contiguous addressing
As illustrated in
, the two networks 192.168.2.0 with subnet mask 255.255.255.0 and
192.168.3.0 with subnet mask 255.255.255.0 could be grouped into one network 192.168.2.0 with subnet
mask 255.255.254.0.
mask 255.255.254.0.