Re: Noob basic network segmenting help

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"£Jim" <nospam@xxxxxxxx> wrote in message
news:OvVivfBnJHA.504@xxxxxxxxxxxxxxxxxxxxxxx

Thanks. Floors is just a convenient way for me to identify hosts quickly
and allow for expansion, but I like the idea of a single L3 switch. Any
recommendation for a management priced box that could do it?

I know but you don't "want" the IP#s of the machines to actually "mean"
anything. That is a bad path to walk down. It is easy to create a
subnet,...but it is very difficult to "undo" it after you find it wasn't
such a good idea. I've been-there-done-that and after 6 years I have
never been able to undo it without more work than I am willing to get into.

So the DHCP is smart enough to hand out the right subnet addresses then,
that's good.

Yes it is. The real work is done by the router when it forwards the
queries.

Bit of a harsh comment on the documentation ;) We all have to learn
somewhere. I'm not averse to reading howstuffworks or dummies...

I wasn't being harsh,..I was being serious. I know of no documentation for
that, short of taking a general "networking class" in a local college. I
have never seen anykind of "how-to" for that because every situation is
different and if you read something that doesn't really apply to the
situation you will make a really big mess.

The best documentation you will find will be the Router's documentation,...
seriously,...what you are asking for is "created" by the router,...the rest
is just plugging the cables into the right switch ports.

There are some common mistakes though. So follow these principles below.
At the risk of sounding harsh :-),...I tend to be very adament about
these,...I am suggesting them for specific reasons,...and it takes a *lot*
for me to change and suggest something different (but sometimes it happens).

1. The LAN Router in a "hub & spoke" layout is the Default Gateway of
*everything* on the LAN except for the Firewall which uses the
Internet
Router as its Default Gateway.

2. The most important thing is the above #1 if you skimmed over that one
:-)
A lot of people want to blow that one off or argue with it.

3. The LAN Router then uses the Firewall for its Default Gateway

4. The firewall product needs two things after #1 thru #3:

A. All the IP Ranges of all the subnets on the LAN need to be added
to the Local Address Table (LAT). Your firewall may have other
names
for that, but it is the same idea. Some "home-user" toy firewalls
are not
capable of doing this because they are strictly designed for a
single-subnet
home network.

B. The firewall needs a Static Route that tells it to use the LAN
Router as
the "gateway" to get to anywhere else on the LAN. Some "home-user"
toy
firewalls are not capable of doing this because they are strictly
designed for
a single-subnet home network.

5. DNS. Well this is even more important than #1,...even though it is
#5. If you
have an Active Directory Domain (who doesn't?) then the AD/DNS
Servers
are the *only* ones that should ever appear in the network setting
of any
Host on the LAN. The ISP's DNS IP#s should never appear on any Host
anywhere,...ever,...not even the Firewall.

6. DNS part-2. Add the ISP's DNS to the Forwarders List within the
sonfig of
the DNS Service runnig on the AD/DNS Servers.

7. DNS part-3. Make sure that the Firewall allows the AD/DNS Server to
make outbound DNS Queries anonymously. Make sure that the Firewalll
allows it *only* for those machines and none others in order to
"weed-out"
machines that may have rogue DNS Settings. You can also limit the
Destination to the specific IP#s of the ISP's DNS.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


.

Relevant Pages

  • Re: SBS 2003 Premium, Multi-Homed, Problem with OMA
    ... Internal Nic and all workstations should be going to a switch with a non-routeable static IP, SBS should be doing internal DNS, DHCP, WINS, etc. ... LAN port in use on that router is the SBS 2003 Premium box. ...
    (microsoft.public.windows.server.sbs)
  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • Re: Microsoft websites are inaccessible
    ... I can not get well formed pages to load at msdn2.microsoft.com nor can I ... When did my firewall learn to discriminate? ... ProSafe VPN) but the Road Runner ISP requires dynamic DNS to be selected ... on the router. ...
    (comp.security.firewalls)
  • Re: [SLE] Firewall zones
    ... Looking at the firewall configuration in Yast, ... My network card is assigned its IP address by the router using DHCP. ... It connects to the LAN and to the router; the router in turn talks to the ... All the systems on the LAN are supposed to have the same firewall protection, ...
    (SuSE)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)