[Tfug] Network partitioning
vaca at grazeland.com
vaca at grazeland.com
Sat Nov 2 02:33:03 MST 2013
Potato, po-tah-to here. Your "domains and router" are in actuality my "VLANs with routing between them." The "pre-configured" ports A,B, etc are really pre-built "ACLs."
I tend to think of just doing it all on one device and letting the configuration drive everything versus your approach which would be more old-school. Instead of VLANs, you have true separate LANs. This requires more hardware and isn't as scalable or flexible.
Either way you can preconfigure everything and make it either simple or complex at your own discretion. This is also a pretty "standard" or "normal" way of accomplishing your goals, so you would have a lot of choices and folks that can help you.
Hope this helps clarify.
Tyler
On Nov 2, 2013, at 12:01 AM, Bexley Hall <bexley401 at yahoo.com> wrote:
> On 11/1/2013 11:01 PM, vaca at grazeland.com wrote:
>
> [top post fixed]
>
>> On Nov 1, 2013, at 9:25 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>>
>>> I'm looking for quick and dirty way to partition a network
>>> to isolate subnets from each other (to varying degrees).
>>>
>>> In essence:
>>> - a group of "internal" machines that need to be able to
>>> talk together
>>> - a group of "shared resources"*
>>> - another group of machines that don't really need to talk
>>> to each other (though if they did, the world wouldn't end)
>>>
>>> The shared resources are things like internet connection,
>>> printers, file servers, etc. I.e., everyone probably wants to
>>> be able to access these (*though a printer shouldn't be
>>> accessible from the internet connection so I guess you'd
>>> really want to split into yet another group).
>>>
>>> What's the simplest "no maintenance" way of doing this?
>>> Ideally, via a turnkey appliance (instead of a "real system"
>>> added for this role)
>>
>> VLANs and ACLs would be a simple means of doing this.
>
> I think that requires too much maintenance down the road.
> I.e., if a switch is replaced, another printer added, etc.
>
> I was thinking more along the router approach:
> - partition the network into the 3 or 4 domains
> - write *simple* rules for 4 port router (A can talk to B, etc.)
> - hang generic switches on the 4 ports
>
> Then, all you have to remember is:
> - anything plugged into switch A can talk to anything in switch C
> (along with everything else in switch A)
> - anything in switch D can talk to anything in switch C (C=common?)
> (along with everything else in switch D)
> - anything in A or D can talk to switch B
> (B being the internet connection, etc.)
>
> A "spare" identical router sitting on a shelf preconfigured is your
> sole "critical component" (if a switch dies, just replace it with
> another generic switch!)
>
> If the number of devices on A, C or D increases beyond current
> capacity, just cascade switches (or buy a larger one). If you
> want to have a publicly accessible *server* (i.e., that can
> be accessed from The Internet), hang it on switch B.
>
> This *should* be a simple, low cost solution because there isn't
> really much traffic *through* the router (A and D don't talk to each
> other; B is inherently bandwidth limited by the WLAN connection;
> anything shared on C would tend to be sporadic use (printers,
> file server, etc.)
>
> It just seems like the VLAN route means you're always worrying about
> reconfiguring appliances/switches when things change/grow. (?)
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
More information about the tfug
mailing list