Re: need comments on proposed network archtecture-correct diagram this time

From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: 08/05/03 

Date: Tue, 05 Aug 2003 11:17:55 GMT

On 5 Aug 2003 01:43:43 -0700, ike lozada spoketh

>hi all,
>
>my company is currently planning to upgrade our network infrastructure
>which by the way, really needs upgrading. our current setup is like
>this
>
>internet-->router-->hub-->internal network
>
>it sucks, i know. but we are thinking of upgrading it to this setup:
>
>internet-->border-->dmz-->packet-filterng-->switch-->internal netwrk1
> router router -->switch-->internl netwrk2
> -->switch->internal netwrk3
> ..and so on...
>
>dmz will host our mail servers, ids, load balancer, www and ras
>server. internal network1 will have an application server (backend
>lotus notes) that www server (web portal) will need to have access to.
>
>now my questions:
>
>1. will our planned setup work? what are the advantages/disadvantages
>to this and what can you guys recommend to make it better? im afraid
>for the packet filtering router that sits between the different
>switches because it would mean a single point of failure and if it
>goes down, whole netwrk will go down!
>
>2. how can we allow www server in the dmz to access the backend in one
>of the trusted networks? vpn or by proxy perhaps? please give ideas on
>how to set this up.
>
>3. where should we put domain controllers and dhcp servers? we are
>thinking of putting them in each of the different LAN segments...
>
>
>thanks for any comments

You probably shouldn't have your packet filtering router do your VLAN
routing for you. Call it a "firewall", and let it do only that. Then
you'll get:

 Internet---BR---DMZ---FW---LAN

You should treat this as two separate jobs. One is reorganizing your
internet connection, the second is reorganizing your internal LAN.

You can allow the WWW server to gain access through the firewall to get
to the backend. The rule to allow it just has to be very specific. Or,
you could have another backend server in the DMZ that queries the real
backend on the LAN. Then it alone can have access to the LAN. In the
event that the webserver is compromised, there won't be a direct path
into your LAN...

For your LAN solution, you could do this with VLAN, or simply with
multiple separate switches all connected to a very fast router with many
ports. The Cisco 3550 switch can do that routing for you much faster
than many routers...

One idea would be to use some Cisco 2950-48's for the LANs, all
connected with GigaStack stacking GBIC connectors, and have one Cisco
3550-12T to provide Ethernet gigabit connections to servers. Or, you can
go with the 3550-24 SMI (much cheaper) if you don't need any ethernet
gigabit connections. Connect them like this:

                   |---
              Switch1 |
                   | |
              Switch2 |
                   | |
              Switch3 |
                   | |
              Switch4 |
                   |---

Although it look like a loop (and it is), STP will ensure that one path
gets disabled, and it'll only be enabled in the event that one uplink or
switch fails. Have the Gigabit connectors trunked (part of all VLANs),
and have switch4 (the 3550) do the VLAN routing for you.

You can put your servers on it's own VLAN, and have the DHCP server give
out several ranges of IP addresses (one range for each VLAN). The use of
an ip-helper-address on the switch (essentially, giving the DHCP
server(s) virtual IP addresses on each VLAN) will allow all clients on
any VLAN to see the DHCP server(s).
 
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Relevant Pages

  • Re: need comments on proposed network archtecture-correct diagram this time
    ... > You probably shouldn't have your packet filtering router do your VLAN ... the second is reorganizing your internal LAN. ... > You can allow the WWW server to gain access through the firewall to get ... Have the Gigabit connectors trunked, ...
    (comp.security.firewalls)
  • Re: VPN vs. VLAN
    ... Yea I didn't want to get into semantic wars about what a "VLAN" is; ... listening in on the same network as the LAN router's DHCP daemon). ... The LAN Router between the IP Segments needs to be configured to forward ... DHCP Queries to the DHCP Server. ...
    (microsoft.public.win2000.networking)
  • Re: smbclient timeout, file truncated / 9.1 Pro (was Re: libpopt.so.0 conflict...
    ... >and the OS/2 machines on the LAN. ... NETBEUI was invented to allow windows clients to use an OS/2 server. ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
    (alt.os.linux.suse)
  • Re: Indirect synchronization setup with no synchronizers on servers
    ... Replica Manager to be installed at all. ... trust any LAN, except the LAN where the file server is that stores my ... remote PCs have synchronizers but the server does not. ... There is no difference between a synchronizer operating on replicas ...
    (microsoft.public.access.replication)
  • Re: Possible to secure WEP?
    ... It doesn't have to be a "server". ... this IP cannot be in the same class C IP block as your own LAN. ... To keep it simple, my gateway router, ... Ethernet adapter Local Area Connection: ...
    (alt.internet.wireless)