<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
1. Broadcast traffic with DHCP is almost nothing, even if you set up
leases to expire every hour <br>
(if you work through the math, assume 4 packets every 1/2 hour[it's not
that much] per pc, * 200 pc's, * 1k/ packet....One print job to a
printer is the same number of packets as a years worth of DHCP)<br>
2. If you have a windows network, because of the way netbios operates,
you have broadcast happy pc's all over the place anyway.<br>
3. Get some kind of server based AV suite. This will force virus scan
software on every machine, and will scan everything coming to the
server.<br>
4. If you are truly worried about number 3, and don't want people to
'plug in and get an address', limit the access to the dhcp by MAC.
With static addresses, someone can plug in, set up a static address,
and use the network without your say-so. (Don't assume nobody knows how
to set up a static address. Security through obscurity is never a good
idea). By limiting the MAC addresses, you accomplish 2 things: first,
it is a positive step for security, rather than hoping nobody finds out
about your cunning plan. Second, you still can maintain control from a
central workstation, rather than having to travel to 200 machines to
institute a change.<br>
<br>
However, you still need to split up your network. 200 machines is a
little big for any one broadcast domain. Basically, you should be able
to plug in a second network card into a server, allow ip forwarding
between the two, and you now have your problem solved. In Windows,
it's pretty easy, and depending on your admin tools(I like Webmin...yes
I'm a wimp), it's not too hard in linux.. There are also 'dedicated'
solutions that combine this with firewalling and other solutions. Check
out Smoothwall (.iso disk) or Shorewall (front end for iptables) which
help make setting up multi homed cpu's pretty easy.<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:justin.bennett@dynabrade.com">justin.bennett@dynabrade.com</a> wrote:
<blockquote
cite="mid:OF4D7479BF.5A5A4ACA-ON85257356.00533023-85257356.00542092@lynx.dynabrade.com"
type="cite"><br>
<font face="sans-serif" size="2">Thanks for the replies. :) No
beer yet, but it's still early. :)</font><br>
<font face="sans-serif" size="2">Yeah The extra broadcasts I have
thought
about as well, especially with 200 windows pcs. :) </font>
<br>
<br>
<font face="sans-serif" size="2">I do DHCP in our remote offices and
we do limited DHCP but it's limted to certain MAC addresses for some
people
who have laptops, we don't use DHCP for the 200 desktops for the fact
that
we have remote salesmen who routinely fly to Buffalo for training (they
plug into alot of hotel connections) and I don't just want them to plug
into the network and get an address, unless we virusscan their PCs
first,
and didn't feel like maintinaing 200 host entries for the desktops. </font>
<br>
<br>
<font face="sans-serif" size="2">I'll keep vyatta in mind but I think
any out of the box linux distribution is sufficent for this instance.</font>
<br>
<br>
<font face="sans-serif" size="2">Thanks!</font>
<br>
<br>
<font face="sans-serif" size="2">Justin</font>
<br>
<font face="sans-serif" size="2"><br>
</font><img src="cid:part1.03010209.01030002@adelphia.net">
<br>
<br>
<br>
<table width="100%">
<tbody>
<tr valign="top">
<td width="40%"><font face="sans-serif" size="1"><b>"Mark
Musone"
<a class="moz-txt-link-rfc2396E" href="mailto:mmusone@shatterit.com"><mmusone@shatterit.com></a></b> </font>
<br>
<font face="sans-serif" size="1">Sent by:
<a class="moz-txt-link-abbreviated" href="mailto:nflug-bounces@nflug.org">nflug-bounces@nflug.org</a></font>
<p><font face="sans-serif" size="1">09/14/2007 11:07 AM</font>
<table border="1">
<tbody>
<tr valign="top">
<td bgcolor="white">
<div align="center"><font face="sans-serif" size="1">Please
respond to<br>
<a class="moz-txt-link-abbreviated" href="mailto:nflug@nflug.org">nflug@nflug.org</a></font></div>
</td>
</tr>
</tbody>
</table>
<br>
</p>
</td>
<td width="59%">
<table width="100%">
<tbody>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">To</font></div>
</td>
<td><font face="sans-serif" size="1"><a class="moz-txt-link-rfc2396E" href="mailto:nflug@nflug.org"><nflug@nflug.org></a></font>
</td>
</tr>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">cc</font></div>
</td>
<td><br>
</td>
</tr>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Subject</font></div>
</td>
<td><font face="sans-serif" size="1">RE: [nflug] Bridging
two Subnets (Linux
Router Project?)</font></td>
</tr>
</tbody>
</table>
<br>
<table>
<tbody>
<tr valign="top">
<td>
<br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
<font color="#004080" face="sans-serif" size="2">Oh..one more
thing..i’m
not a fan of option #1, less because of your negatives, and mostly
because
of bandwidth, collisions, and broadcast storms..I tend to like only
having
a max of 250 servers/network because it creates a self-imposed line in
the sand to ensure that my bandwidth does not get saturated..</font>
<br>
<font color="#004080" face="sans-serif" size="2"> </font>
<br>
<font color="#004080" face="sans-serif" size="2">Mark</font>
<br>
<font color="#004080" face="sans-serif" size="2"> </font>
<br>
<font color="#004080" face="sans-serif" size="2"> </font>
<br>
<font face="Tahoma" size="2"><b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:nflug-bounces@nflug.org">nflug-bounces@nflug.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nflug-bounces@nflug.org">mailto:nflug-bounces@nflug.org</a>]
<b>On Behalf Of </b><a class="moz-txt-link-abbreviated" href="mailto:justin.bennett@dynabrade.com">justin.bennett@dynabrade.com</a><b><br>
Sent:</b> Friday, September 14, 2007 10:39 AM<b><br>
To:</b> <a class="moz-txt-link-abbreviated" href="mailto:nflug@nflug.org">nflug@nflug.org</a><b><br>
Subject:</b> [nflug] Bridging two Subnets (Linux Router Project?)</font>
<br>
<font face="Times New Roman" size="3"> </font>
<br>
<font face="Arial" size="2"><br>
Hey Folk,</font><font face="Times New Roman" size="3"> <br>
</font><font face="Arial" size="2"><br>
I have an increasing situation that I'm looking
to be proactive about. I have a class C internal network at our office
here, that due to growth is running out of IPs, it's a 192.168.x.0/24
situation. I've come up with two possible solutions, fell free to
suggest
others, it doesn't have to be a free solution, just production quality.</font><font
face="Times New Roman" size="3">
<br>
</font><font face="Arial" size="2"><br>
1. Drop the subnet mast to 255.255.252.0 or less, This gives me more
IPs,
and makes no physical changes to the network, but requires me to
reconfigure
250+ pcs, servers, VPNs, VPN routes on remote sites, ect. This is not
really
desirable. </font><font face="Times New Roman" size="3"> <br>
</font><font face="Arial" size="2"><br>
2. Create a new 192.168.(x+1).0 subnet on a separate physical network
and
bridge the two with a router. All new network drops would get plugged
into this subnet.</font><font face="Times New Roman" size="3"> <br>
</font><font face="Arial" size="2"><br>
The second solution is more appealing to me
as it doesn't require changing all the existing devices, except adding
a route to a firewall or two. The problem is I don't think I'm looking
at a Cisco router in this situation, I would want probably 2 GB
interfaces
one for the existing subnet and one for the new and just have it route
between the two, I don't want any packet filtering, firewalling, ect.
Just
simple static routing. I don't seem to find GB ethernet in the cisco
routers
unless you buy something modular and add cards, then It has way too
many
features l don't need and starts to get pricey. I know I can do the
same
with a Linux box with 2 cheap GB cards, even with an out of the box Red
Hat dist. There used to be a Linux Router Project but looks like
it's no longer maintained. </font><font face="Times New Roman" size="3"><br>
</font><font face="Arial" size="2"><br>
Is anyone had a similar situation? How have
you handled it. Is there a better router / hardware device that I don't
know of that does what I want?</font><font face="Times New Roman"
size="3">
<br>
</font><font face="Arial" size="2"><br>
Thanks</font><font face="Times New Roman" size="3"> </font><font
face="Arial" size="2"><br>
Justin</font><font face="Times New Roman" size="3"> <br>
</font><font face="Arial" size="2"><br>
</font><font face="Times New Roman" size="3"><br>
</font><img src="cid:part2.05090000.01030706@adelphia.net"><tt><font
size="2">_______________________________________________<br>
nflug mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:nflug@nflug.org">nflug@nflug.org</a><br>
<a class="moz-txt-link-freetext" href="http://www.nflug.org/mailman/listinfo/nflug">http://www.nflug.org/mailman/listinfo/nflug</a><br>
</font></tt>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
nflug mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nflug@nflug.org">nflug@nflug.org</a>
<a class="moz-txt-link-freetext" href="http://www.nflug.org/mailman/listinfo/nflug">http://www.nflug.org/mailman/listinfo/nflug</a>
</pre>
</blockquote>
</body>
</html>