<br><font size=2 face="sans-serif">Thanks for the reply. I think I want
to limit the Subnet size anyway. I'm not concerned about the DHCP traffic,
DHCP with static MAC Addresses would be fine ( I do some of this for laptops,
print servers, ect.) the problem is more of a situation where * I * have
to maintan the MAC address setup in our DHCP server for every new PC that
gets deployed, and right now it's our help desk guy who just works off
on an XLS spreadsheet of avaliable / allocated IPs. He wouldn't be able
to change the DHCP config. One less thing I have to do if he can do it
off a spreadsheet. </font>
<br>
<br><font size=2 face="sans-serif">I'm not concerned about Joe Hacker off
the street plugging in and getting an IP, It's more of a situation where
our external employees would plugin without our knowledge (we prefer to
run a Virus Scan First, and get a general look at how the PCs running)
These are external sales guys who live all over the US so they aren't usually
on our network, and plug into many hotels, starbucks, ect. It's just a
way of us knowning when they are here and to know before they plugin. And
if they do pick an IP address I doubt they would guess the gateway and
DNS settings, and if they did, we could always slap their hand being that
they are our employees.</font>
<br>
<br><font size=2 face="sans-serif">I think the dual homed linux box is
the way to go.</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thanks</font>
<br><font size=2 face="sans-serif">Justin</font>
<br>
<br><font size=2 face="sans-serif"><br>
</font><img src=cid:_1_05B519AC05B518640049EACC8525735B>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Richard Hubbard <hubbardr@adelphia.net></b>
</font>
<br><font size=1 face="sans-serif">Sent by: nflug-bounces@nflug.org</font>
<p><font size=1 face="sans-serif">09/19/2007 09:09 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
nflug@nflug.org</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">nflug@nflug.org</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [nflug] Bridging two Subnets (Linux
Router Project?)</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=3>1. Broadcast traffic with DHCP is almost nothing, even
if you set up leases to expire every hour <br>
(if you work through the math, assume 4 packets every 1/2 hour[it's not
that much] per pc, * 200 pc's, * 1k/ packet....One print job to a printer
is the same number of packets as a years worth of DHCP)<br>
2. If you have a windows network, because of the way netbios operates,
you have broadcast happy pc's all over the place anyway.<br>
3. Get some kind of server based AV suite. This will force virus
scan software on every machine, and will scan everything coming to the
server.<br>
4. If you are truly worried about number 3, and don't want people to 'plug
in and get an address', limit the access to the dhcp by MAC. With
static addresses, someone can plug in, set up a static address, and use
the network without your say-so. (Don't assume nobody knows how to set
up a static address. Security through obscurity is never a good idea).
By limiting the MAC addresses, you accomplish 2 things: first, it is a
positive step for security, rather than hoping nobody finds out about your
cunning plan. Second, you still can maintain control from a central workstation,
rather than having to travel to 200 machines to institute a change.<br>
<br>
However, you still need to split up your network. 200 machines is
a little big for any one broadcast domain. Basically, you should
be able to plug in a second network card into a server, allow ip forwarding
between the two, and you now have your problem solved. In Windows,
it's pretty easy, and depending on your admin tools(I like Webmin...yes
I'm a wimp), it's not too hard in linux.. There are also 'dedicated'
solutions that combine this with firewalling and other solutions. Check
out Smoothwall (.iso disk) or Shorewall (front end for iptables) which
help make setting up multi homed cpu's pretty easy.<br>
</font><font size=3 color=blue><u><br>
</u></font><a href=mailto:justin.bennett@dynabrade.com><font size=3 color=blue><u>justin.bennett@dynabrade.com</u></font></a><font size=3>
wrote: </font>
<br><font size=2 face="sans-serif"><br>
Thanks for the replies. :) No beer yet, but it's still early. :)<br>
Yeah The extra broadcasts I have thought about as well, especially with
200 windows pcs. :) </font><font size=3><br>
</font><font size=2 face="sans-serif"><br>
I do DHCP in our remote offices and we do limited DHCP but it's limted
to certain MAC addresses for some people who have laptops, we don't use
DHCP for the 200 desktops for the fact that we have remote salesmen who
routinely fly to Buffalo for training (they plug into alot of hotel connections)
and I don't just want them to plug into the network and get an address,
unless we virusscan their PCs first, and didn't feel like maintinaing 200
host entries for the desktops. </font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
I'll keep vyatta in mind but I think any out of the box linux distribution
is sufficent for this instance.</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Thanks!</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Justin</font><font size=3> </font><font size=2 face="sans-serif"><br>
</font><font size=3><br>
</font><img src=cid:_1_09A68734091EEEA00049EACC8525735B><font size=3><br>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=44%><font size=1 face="sans-serif"><b>"Mark Musone"
</b></font><a href=mailto:mmusone@shatterit.com><font size=1 color=blue face="sans-serif"><b><u><mmusone@shatterit.com></u></b></font></a><font size=1 face="sans-serif">
<br>
Sent by: </font><a href="mailto:nflug-bounces@nflug.org"><font size=1 color=blue face="sans-serif"><u>nflug-bounces@nflug.org</u></font></a><font size=3>
</font>
<p><font size=1 face="sans-serif">09/14/2007 11:07 AM</font><font size=3>
</font>
<br>
<table border=4>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to</font><font size=1 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:nflug@nflug.org><font size=1 color=blue face="sans-serif"><u>nflug@nflug.org</u></font></a></div></table>
<p>
<td width=55%>
<br>
<table width=100%>
<tr valign=top>
<td width=12%>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td width=87%><a href=mailto:nflug@nflug.org><font size=1 color=blue face="sans-serif"><u><nflug@nflug.org></u></font></a><font size=3>
</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">RE: [nflug] Bridging two Subnets (Linux
Router Project?)</font></table>
<br>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br><font size=3><br>
<br>
</font><font size=2 color=#004080 face="sans-serif"><br>
Oh..one more thing..i’m not a fan of option #1, less because of your negatives,
and mostly because of bandwidth, collisions, and broadcast storms..I tend
to like only having a max of 250 servers/network because it creates a self-imposed
line in the sand to ensure that my bandwidth does not get saturated..</font><font size=3>
</font><font size=2 color=#004080 face="sans-serif"><br>
</font><font size=3> </font><font size=2 color=#004080 face="sans-serif"><br>
Mark</font><font size=3> </font><font size=2 color=#004080 face="sans-serif"><br>
</font><font size=3> </font><font size=2 color=#004080 face="sans-serif"><br>
</font><font size=3> </font><font size=2 face="Tahoma"><b><br>
From:</b> </font><a href="mailto:nflug-bounces@nflug.org"><font size=2 color=blue face="Tahoma"><u>nflug-bounces@nflug.org</u></font></a><font size=2 face="Tahoma">
[</font><a href="mailto:nflug-bounces@nflug.org"><font size=2 color=blue face="Tahoma"><u>mailto:nflug-bounces@nflug.org</u></font></a><font size=2 face="Tahoma">]
<b>On Behalf Of </b></font><a href=mailto:justin.bennett@dynabrade.com><font size=2 color=blue face="Tahoma"><u>justin.bennett@dynabrade.com</u></font></a><font size=2 face="Tahoma"><b><br>
Sent:</b> Friday, September 14, 2007 10:39 AM<b><br>
To:</b> </font><a href=mailto:nflug@nflug.org><font size=2 color=blue face="Tahoma"><u>nflug@nflug.org</u></font></a><font size=2 face="Tahoma"><b><br>
Subject:</b> [nflug] Bridging two Subnets (Linux Router Project?)</font><font size=3>
</font><font size=3 face="Times New Roman"><br>
</font><font size=3> </font><font size=2 face="Arial"><br>
<br>
Hey Folk,</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
<br>
I have an increasing situation that I'm looking
to be proactive about. I have a class C internal network at our office
here, that due to growth is running out of IPs, it's a 192.168.x.0/24
situation. I've come up with two possible solutions, fell free to suggest
others, it doesn't have to be a free solution, just production quality.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
<br>
1. Drop the subnet mast to 255.255.252.0 or less, This gives me more IPs,
and makes no physical changes to the network, but requires me to reconfigure
250+ pcs, servers, VPNs, VPN routes on remote sites, ect. This is not really
desirable. </font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
<br>
2. Create a new 192.168.(x+1).0 subnet on a separate physical network and
bridge the two with a router. All new network drops would get plugged
into this subnet.</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
<br>
The second solution is more appealing to me
as it doesn't require changing all the existing devices, except adding
a route to a firewall or two. The problem is I don't think I'm looking
at a Cisco router in this situation, I would want probably 2 GB interfaces
one for the existing subnet and one for the new and just have it route
between the two, I don't want any packet filtering, firewalling, ect. Just
simple static routing. I don't seem to find GB ethernet in the cisco routers
unless you buy something modular and add cards, then It has way too many
features l don't need and starts to get pricey. I know I can do the same
with a Linux box with 2 cheap GB cards, even with an out of the box Red
Hat dist. There used to be a Linux Router Project but looks like
it's no longer maintained. <br>
<br>
Is anyone had a similar situation? How have
you handled it. Is there a better router / hardware device that I don't
know of that does what I want?</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
<br>
Thanks</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
Justin</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
<br>
</font><font size=3><br>
</font><img src=cid:_1_09A6FBEC09A68B3C0049EACC8525735B><tt><font size=2>_______________________________________________<br>
nflug mailing list</font></tt><tt><font size=2 color=blue><u><br>
</u></font></tt><a href=mailto:nflug@nflug.org><tt><font size=2 color=blue><u>nflug@nflug.org</u></font></tt></a><tt><font size=2 color=blue><u><br>
</u></font></tt><a href=http://www.nflug.org/mailman/listinfo/nflug><tt><font size=2 color=blue><u>http://www.nflug.org/mailman/listinfo/nflug</u></font></tt></a><font size=3><br>
</font>
<br><tt><font size=3><br>
</font></tt>
<hr><tt><font size=3><br>
_______________________________________________<br>
nflug mailing list<br>
</font></tt><a href=mailto:nflug@nflug.org><tt><font size=3 color=blue><u>nflug@nflug.org</u></font></tt></a><tt><font size=3><br>
</font></tt><a href=http://www.nflug.org/mailman/listinfo/nflug><tt><font size=3 color=blue><u>http://www.nflug.org/mailman/listinfo/nflug</u></font></tt></a><tt><font size=3><br>
</font></tt><tt><font size=2>_______________________________________________<br>
nflug mailing list<br>
nflug@nflug.org<br>
http://www.nflug.org/mailman/listinfo/nflug<br>
</font></tt>
<br>