Network Architecture thoughts

ddrueding · Sep 21, 2007

One of my clients has 10 offices, all connected via point-to-point VPN. Each office has been given a class C (192.168.0.xxx, 192.168.1.xxx, etc)

The main office is outgrowing it's class C; 50 servers, 40 network printers, and 125+ users. I'd like to get the Servers and other static-IP stuff (printers, copiers, etc) on their own class C.

Currently every office has a subnet mask of 255.255.255.0, with the default gateway set as the smoothwall that connects the VPNs. "Route add" commands link the sites to resources at other sites. I don't want to have persistent route commands for every workstation in the main office.

What are peoples thoughts if I change the subnet mask to 255.255.0.0? Will routing occur automatically? I'm heading down there on Monday, and will likely be making changes then. I could build a test environment including multiple subnets and routers, but if anyone here knows the answer, that would be easier

Mercutio · Sep 21, 2007

I know that your setup would talk if it were with a bunch of stuff on interconnected LANs and with entirely static routes. I'm less sure how well it would work over wide area links and I am thinking there is probably a good performance-related reason to not do things that way.

Mercutio · Sep 21, 2007

Also, technically, 192.168.x.y is supposed to be a /16 and not a /24, so using it as a class B sized network is certainly valid.

ddrueding · Sep 21, 2007

Yup. I have T-1s to all the sites, and none of them have more than 20 users (most around 7-10), so some performance loss would be acceptible. All servers are at the main office, but some of the workstations also host resources that other users might need to access.

Fushigi · Sep 21, 2007

I'd be in favor of moving the servers to their own subnet. If any of these are Internet-facing they should really be put in a DMZ.

Since their office is growing you could even do the same with the printers/copiers. Or buy bigger printer/copiers and have more people share them, reducing the overall # of units and freeing up their addresses.

How are the servers backed up if I might ask?

ddrueding · Sep 22, 2007

I've laid down the law on a few things.

Fushigi said:
I'd be in favor of moving the servers to their own subnet. If any of these are Internet-facing they should really be put in a DMZ.

None. Everything is internal-only. If they want to have external access (e-mail, for example), I'll find a hosted service that I trust and let them worry about it.

Fushigi said:
Since their office is growing you could even do the same with the printers/copiers. Or buy bigger printer/copiers and have more people share them, reducing the overall # of units and freeing up their addresses.

I think having all the servers and printers on the same subnet is fine, everyone has access to at least a half-dozen printers of the people around them (redundancy) and most people have a networked laser printer in their office (luxury).

Fushigi said:
How are the servers backed up if I might ask?

Still being implemented (~50% done). TrueImage Server to some local multi-terabyte NASes every night, with those replicating across a dedicated fiber link to another facility ~1 mile away. Nightly backups kept for a week, weekly backups kept for a month, monthly backups kept for a year, yearly backups kept forever.

Of course both server rooms (primary and backup) have refrigerator-sized UPSes and school bus-sized generators with large fuel tanks. I'm in the process of researching clustering the critical servers across the fiber link (I had 10 strands buried when we ran the conduit).

blakerwry · Oct 16, 2007

dd, if you are using the IPs in the example and you change the subnet mask on all devices to 255.255.0.0, then no routing should occur. Because all devices would then believe that they are in the same subnet as every other device and would try to communicate directly instead of going through a router/gateway.

What I would suggest doing, is either expanding the class C to a /23 (will take some knowledge of subnetting or a subnet calculator to ensure you don't overlap subnets)

Or add another interface to your firewall and put your servers/printers on that interface using a dedicated class C ip block.

The benefit of the former being that you dont need to worry about physical network connections - it's all one big switched network. Basically an extention of what you have now.

The latter can give you the benefit of greater access control/restrictions (ie, dmz or different firewall rules), however to enforce these rules the additional interface with servers would either need to attach to a different switch/vlan from your workstations. Which brings up the additional complication of what Ethernet ports in the wall are wired to which switch/VLAN.

-B

ddrueding · Oct 16, 2007

blakerwry said:
...Or add another interface to your firewall and put your servers/printers on that interface using a dedicated class C ip block.

...

The latter can give you the benefit of greater access control/restrictions (ie, dmz or different firewall rules), however to enforce these rules the additional interface with servers would either need to attach to a different switch/vlan from your workstations. Which brings up the additional complication of what Ethernet ports in the wall are wired to which switch/VLAN.

I like this idea. The firewall in question is the beast mentioned in the "Something Random" thread, and could easily handle another GbE port and the involved routing. All the servers are on a dedicated bank of managed switches anyway, so additional hardware is a non-issue.

Thanks for the idea.

Network Architecture thoughts

ddrueding

Fixture

Mercutio

Fatwah on Western Digital

Mercutio

Fatwah on Western Digital

ddrueding

Fixture

Fushigi

Storage Is My Life

ddrueding

Fixture

blakerwry

Storage? I am Storage!

ddrueding

Fixture