[nflug] Bridging two Subnets (Linux Router Project?)

justin.bennett at dynabrade.com justin.bennett at dynabrade.com
Wed Sep 19 09:29:10 EDT 2007


Thanks for the reply. I think I want to limit the Subnet size anyway. I'm 
not concerned about the DHCP traffic, DHCP with static MAC Addresses would 
be fine ( I do some of this for laptops, print servers, ect.) the problem 
is more of a situation where * I * have to maintan the MAC address setup 
in our DHCP server for every new PC that gets deployed, and right now it's 
our help desk guy who just works off on an XLS spreadsheet of avaliable / 
allocated IPs. He wouldn't be able to change the DHCP config. One less 
thing I have to do if he can do it off a spreadsheet. 

I'm not concerned about Joe Hacker off the street plugging in and getting 
an IP, It's more of a situation where our external employees would plugin 
without our knowledge (we prefer to run a Virus Scan First, and get a 
general look at how the PCs running) These are external sales guys who 
live all over the US so they aren't usually on our network, and plug into 
many hotels, starbucks, ect. It's just a way of us knowning when they are 
here and to know before they plugin. And if they do pick an IP address I 
doubt they would guess the gateway and DNS settings, and if they did, we 
could always slap their hand being that they are our employees.

I think the dual homed linux box is the way to go.


Thanks
Justin






Richard Hubbard <hubbardr at adelphia.net> 
Sent by: nflug-bounces at nflug.org
09/19/2007 09:09 AM
Please respond to
nflug at nflug.org


To
nflug at nflug.org
cc

Subject
Re: [nflug] Bridging two Subnets (Linux Router Project?)






1. Broadcast traffic with DHCP is almost nothing, even if you set up 
leases to expire every hour 
(if you work through the math, assume 4 packets every 1/2 hour[it's not 
that much] per pc, * 200 pc's, * 1k/ packet....One print job to a printer 
is the same number of packets as a years worth of DHCP)
2. If you have a windows network, because of the way netbios operates, you 
have broadcast happy pc's all over the place anyway.
3. Get some kind of server based AV suite.  This will force virus scan 
software on every machine, and will scan everything coming to the server.
4. If you are truly worried about number 3, and don't want people to 'plug 
in and get an address', limit the access to the dhcp by MAC.  With static 
addresses, someone can plug in, set up a static address, and use the 
network without your say-so. (Don't assume nobody knows how to set up a 
static address.  Security through obscurity is never a good idea).  By 
limiting the MAC addresses, you accomplish 2 things: first, it is a 
positive step for security, rather than hoping nobody finds out about your 
cunning plan. Second, you still can maintain control from a central 
workstation, rather than having to travel to 200 machines to institute a 
change.

However, you still need to split up your network.  200 machines is a 
little big for any one broadcast domain.  Basically, you should be able to 
plug in a second network card into a server, allow ip forwarding between 
the two, and you now have your problem solved.  In Windows, it's pretty 
easy, and depending on your admin tools(I like Webmin...yes I'm  a wimp), 
it's not too hard in linux.. There are also 'dedicated' solutions that 
combine this with firewalling and other solutions. Check out Smoothwall 
(.iso disk) or Shorewall (front end for iptables) which help make setting 
up multi homed cpu's pretty easy.

justin.bennett at dynabrade.com wrote: 

Thanks for the replies. :)  No beer yet, but it's still early. :)
Yeah The extra broadcasts I have thought about as well, especially with 
200 windows pcs. :) 

I do DHCP in our remote offices and we do limited DHCP but it's limted to 
certain MAC addresses for some people who have laptops, we don't use DHCP 
for the 200 desktops for the fact that we have remote salesmen who 
routinely fly to Buffalo for training (they plug into alot of hotel 
connections) and I don't just want them to plug into the network and get 
an address, unless we virusscan their PCs first, and didn't feel like 
maintinaing 200 host entries for the desktops.   

I'll keep vyatta in mind but I think any out of the box linux distribution 
is sufficent for this instance. 

Thanks! 

Justin 




"Mark Musone" <mmusone at shatterit.com> 
Sent by: nflug-bounces at nflug.org 
09/14/2007 11:07 AM 

Please respond to
nflug at nflug.org



To
<nflug at nflug.org> 
cc

Subject
RE: [nflug] Bridging two Subnets (Linux Router Project?)








Oh..one more thing..i’m not a fan of option #1, less because of your 
negatives, and mostly because of bandwidth, collisions, and broadcast 
storms..I tend to like only having a max of 250 servers/network because it 
creates a self-imposed line in the sand to ensure that my bandwidth does 
not get saturated.. 
  
Mark 
  
  
From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf 
Of justin.bennett at dynabrade.com
Sent: Friday, September 14, 2007 10:39 AM
To: nflug at nflug.org
Subject: [nflug] Bridging two Subnets (Linux Router Project?) 
  

Hey Folk, 

       I have an increasing situation that I'm looking to be proactive 
about. I have a class C internal network at our office here, that due to 
growth  is running out of IPs, it's a 192.168.x.0/24 situation. I've come 
up with two possible solutions, fell free to suggest others, it doesn't 
have to be a free solution, just production quality. 

1. Drop the subnet mast to 255.255.252.0 or less, This gives me more IPs, 
and makes no physical changes to the network, but requires me to 
reconfigure 250+ pcs, servers, VPNs, VPN routes on remote sites, ect. This 
is not really desirable.   

2. Create a new 192.168.(x+1).0 subnet on a separate physical network and 
bridge the two with a router.  All new network drops would get plugged 
into this subnet. 

       The second solution is more appealing to me as it doesn't require 
changing all the existing devices, except adding a route to a firewall or 
two. The problem is I don't think I'm looking at a Cisco router in this 
situation, I would want probably 2 GB interfaces one for the existing 
subnet and one for the new and just have it route between the two, I don't 
want any packet filtering, firewalling, ect. Just simple static routing. I 
don't seem to find GB ethernet in the cisco routers unless you buy 
something modular and add cards, then It has way too many features l don't 
need and starts to get pricey. I know I can do the same with a Linux box 
with 2 cheap GB cards, even with an out of the box Red Hat dist.  There 
used to be a Linux Router Project but looks like it's no longer 
maintained. 

       Is anyone had a similar situation? How have you handled it. Is 
there a better router / hardware device that I don't know of that does 
what I want? 

Thanks 
Justin 

       
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug



_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
  _______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20070919/2062afc2/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8150 bytes
Desc: not available
Url : http://www.nflug.org/pipermail/nflug/attachments/20070919/2062afc2/attachment-0003.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8150 bytes
Desc: not available
Url : http://www.nflug.org/pipermail/nflug/attachments/20070919/2062afc2/attachment-0004.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 8150 bytes
Desc: not available
Url : http://www.nflug.org/pipermail/nflug/attachments/20070919/2062afc2/attachment-0005.gif


More information about the nflug mailing list