how-to block ads
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to kracksmith
Re: running out of IP addresses
Security, yes depending on certain circumstances.
Faster, yes - to an extent.
Consider this scenario:
Sorry about the big post
You break your LAN up into 3 logical groups:
* Administration and accounts
* Tech support and system/network admins
* Managers/board members etc
Admin and accounts may have certain applications on their PC's such as banking, excel spreadsheets with financial information etc.
Tech support and sys/net admins will have their various tools.
Managers etc will have other documents like future company plans, legal documents etc.
Generally you would want to keep this type of information within its respective groups.
Tech support guys dont need to know the financial status of the company, and probably dont need to know anything about the companies legal dealings.
Generally if a manager or board member wants financial information they dont go digging through someones computer, they will go and ask them for it 
By breaking the LAN up into these groups you increase security in that respect.
Theres also the fact that if some poor support guy opens an email from a customer which happens to contain a virus which spreads via the network, only the support PC's are going to be infected. If this virus happens to spread itself by mailing itself to everyone in your address book, im sure the Boss' business contacts wouldnt be too pleased about getting viruses and spreading it on to their contacts
In regards to speed, lets say this virus goes wacko and decides to hammer every computer trying to propogate itself and spread through email. Only the support network (or one of the others if it happens to be the one infected) will suffer, leaving the admin and accounts people to collect money and ensure bills are paid, and most certainly keep the boss happy.
So while the support network has been infected you only have one group of computers to look after. And in the mean time you can patch the other computers to ensure they dont suffer the same problems.
Depending on the structure of your company you might have more or less logical groups.
Of course, all of this means you either need seperate physical switches to break them up, or you need switches which support VLANs. In any case you will need a router so that each network *CAN* get to the others. I say *CAN* because you can still access the others via their IP addresses, however, if you implement some access-lists on the router you can restrict what types of traffic can get through to each LAN.
Servers would need a couple of network cards, depending on how many lans they need to be accessible from.
You could always opt for a DHCP solution to assign IP's, that way when you need to expand you can increase the size of the pool rather than reconfiguring each computer manually.
Thats some food for thought. Its not to say you HAVE to do it, it would be a big configuration task, but if you get in early and configure these things before you skyrocket it will make your life easier in the future, or you can quit and leave someone else to do it  | |
kracksmith
join:2004-07-14
Fullerton, CA
| OK you are hired!
I'm going to go through what you said and explain it to my boss to see if she'll buy it.
right now we have 1 large LAN for production and 1 LAN for Accounting. they don't want to have it on one network for now. unless i can explain what you explained to me.
but within our production LAN we have many department. instead of having different logical group of subnet mask like you mention which is a security measure to avoid different department accessing other department files. but that is what NTFS permission is for right?
Within the following weeks to come, I'm planning to implement 255.255.0.0 for our production LAN so we can overcome the max 254 IP numbers.
since our production LAN is all hooked up by daisy chain style switches, i should add a router between 2 switches and control the access with ACLs for security (like you mentioned). with this router in place it will be more secure, but will this setup be faster or slower? with this all being switches broadcasting is everywhere but with a router in place information going from 1 segment to another will need to go through another layer, layer 3 instead of just staying at layer 2.
lastly if i implement 255.255.0.0 for everyone in our production LAN. technically i don't need a router right?
so the network only looks at the 1st 2 octecs but don't care for the last 2 octecs which can be anything, right? | |
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| Inter-vlan performance will depend on the router you have stuck in the middle of them.
If its just a basic Cisco 2611 you wont get alot of performance, but if you say stick a 7301 (expensive!) in there with gigabit to each LAN you will get alot better performance.
As the old rule goes, you should aim to keep 80% of each users traffic local. Therefore the only traffic that should need to leave each LAN would be internet traffic, and anything else that isnt local to the LAN (for example, a network admin might initiate a Remote Desktop session to one of the accounts computers to fix something up).
Ive drawn up a quick diagram to show you exactly what ive been talking about. Each of the 3 LANs is a logical group, say for example the 3 I mentioned earlier.
»www.snnap.net/bbr/lans.png
Hope that helps | |
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to kracksmith
said by kracksmith  :lastly if i implement 255.255.0.0 for everyone in our production LAN. technically i don't need a router right? Remember that there is a middle ground between a /24 (255 addresses) and a /16 (65536 addresses). Have you considered a /23 (255.255.254.0) or /22 (255.255.252.0)? | |
|
