[nflug] Bridging two Subnets (Linux Router Project?)

Richard Hubbard hubbardr at adelphia.net
Wed Sep 19 09:09:09 EDT 2007 

1. Broadcast traffic with DHCP is almost nothing, even if you set up 
leases to expire every hour
(if you work through the math, assume 4 packets every 1/2 hour[it's not 
that much] per pc, * 200 pc's, * 1k/ packet....One print job to a 
printer is the same number of packets as a years worth of DHCP)
2. If you have a windows network, because of the way netbios operates, 
you have broadcast happy pc's all over the place anyway.
3. Get some kind of server based AV suite.  This will force virus scan 
software on every machine, and will scan everything coming to the server.
4. If you are truly worried about number 3, and don't want people to 
'plug in and get an address', limit the access to the dhcp by MAC.  With 
static addresses, someone can plug in, set up a static address, and use 
the network without your say-so. (Don't assume nobody knows how to set 
up a static address.  Security through obscurity is never a good idea).  
By limiting the MAC addresses, you accomplish 2 things: first, it is a 
positive step for security, rather than hoping nobody finds out about 
your cunning plan. Second, you still can maintain control from a central 
workstation, rather than having to travel to 200 machines to institute a 
change.

However, you still need to split up your network.  200 machines is a 
little big for any one broadcast domain.  Basically, you should be able 
to plug in a second network card into a server, allow ip forwarding 
between the two, and you now have your problem solved.  In Windows, it's 
pretty easy, and depending on your admin tools(I like Webmin...yes I'm  
a wimp), it's not too hard in linux.. There are also 'dedicated' 
solutions that combine this with firewalling and other solutions. Check 
out Smoothwall (.iso disk) or Shorewall (front end for iptables) which 
help make setting up multi homed cpu's pretty easy.

justin.bennett at dynabrade.com wrote:
>
> Thanks for the replies. :)  No beer yet, but it's still early. :)
> Yeah The extra broadcasts I have thought about as well, especially 
> with 200 windows pcs. :)
>
> I do DHCP in our remote offices and we do limited DHCP but it's limted 
> to certain MAC addresses for some people who have laptops, we don't 
> use DHCP for the 200 desktops for the fact that we have remote 
> salesmen who routinely fly to Buffalo for training (they plug into 
> alot of hotel connections) and I don't just want them to plug into the 
> network and get an address, unless we virusscan their PCs first, and 
> didn't feel like maintinaing 200 host entries for the desktops.  
>
> I'll keep vyatta in mind but I think any out of the box linux 
> distribution is sufficent for this instance.
>
> Thanks!
>
> Justin
>
>
>
>
> *"Mark Musone" <mmusone at shatterit.com>*
> Sent by: nflug-bounces at nflug.org
>
> 09/14/2007 11:07 AM
> Please respond to
> nflug at nflug.org
>
>
> 	
> To
> 	<nflug at nflug.org>
> cc
> 	
> Subject
> 	RE: [nflug] Bridging two Subnets (Linux Router Project?)
>
>
>
> 	
>
>
>
>
>
> Oh..one more thing..i’m not a fan of option #1, less because of your 
> negatives, and mostly because of bandwidth, collisions, and broadcast 
> storms..I tend to like only having a max of 250 servers/network 
> because it creates a self-imposed line in the sand to ensure that my 
> bandwidth does not get saturated..
>  
> Mark
>  
>  
> *From:* nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] *On 
> Behalf Of *justin.bennett at dynabrade.com*
> Sent:* Friday, September 14, 2007 10:39 AM*
> To:* nflug at nflug.org*
> Subject:* [nflug] Bridging two Subnets (Linux Router Project?)
>  
>
> Hey Folk,
>
>        I have an increasing situation that I'm looking to be proactive 
> about. I have a class C internal network at our office here, that due 
> to growth  is running out of IPs, it's a 192.168.x.0/24 situation. 
> I've come up with two possible solutions, fell free to suggest others, 
> it doesn't have to be a free solution, just production quality.
>
> 1. Drop the subnet mast to 255.255.252.0 or less, This gives me more 
> IPs, and makes no physical changes to the network, but requires me to 
> reconfigure 250+ pcs, servers, VPNs, VPN routes on remote sites, ect. 
> This is not really desirable.  
>
> 2. Create a new 192.168.(x+1).0 subnet on a separate physical network 
> and bridge the two with a router.  All new network drops would get 
> plugged into this subnet.
>
>        The second solution is more appealing to me as it doesn't 
> require changing all the existing devices, except adding a route to a 
> firewall or two. The problem is I don't think I'm looking at a Cisco 
> router in this situation, I would want probably 2 GB interfaces one 
> for the existing subnet and one for the new and just have it route 
> between the two, I don't want any packet filtering, firewalling, ect. 
> Just simple static routing. I don't seem to find GB ethernet in the 
> cisco routers unless you buy something modular and add cards, then It 
> has way too many features l don't need and starts to get pricey. I 
> know I can do the same with a Linux box with 2 cheap GB cards, even 
> with an out of the box Red Hat dist.  There used to be a Linux Router 
> Project but looks like it's no longer maintained.
>
>        Is anyone had a similar situation? How have you handled it. Is 
> there a better router / hardware device that I don't know of that does 
> what I want?
>
> Thanks
> Justin
>
>        
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20070919/91167ddf/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8150 bytes
Desc: not available
Url : http://www.nflug.org/pipermail/nflug/attachments/20070919/91167ddf/attachment-0002.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8150 bytes
Desc: not available
Url : http://www.nflug.org/pipermail/nflug/attachments/20070919/91167ddf/attachment-0003.gif

More information about the nflug mailing list