Re: need comments on proposed network archtecture-correct diagram this time

From: ike lozada (ikelozada_at_yahoo.com)
Date: 08/06/03 

Date: 5 Aug 2003 18:54:39 -0700

Lars M. Hansen <badnews@hansenonline.net> wrote in message news:<nm2vivc8dmkt3tr8oj1352h8877ivogvkp@4ax.com>...
> On 5 Aug 2003 01:43:43 -0700, ike lozada spoketh
>
> >hi all,
> >
> >my company is currently planning to upgrade our network infrastructure
> >which by the way, really needs upgrading. our current setup is like
> >this
> >
> >internet-->router-->hub-->internal network
> >
> >it sucks, i know. but we are thinking of upgrading it to this setup:
> >
> >internet-->border-->dmz-->packet-filterng-->switch-->internal netwrk1
> > router router -->switch-->internl netwrk2
> > -->switch->internal netwrk3
> > ..and so on...
> >
> >dmz will host our mail servers, ids, load balancer, www and ras
> >server. internal network1 will have an application server (backend
> >lotus notes) that www server (web portal) will need to have access to.
> >
> >now my questions:
> >
> >1. will our planned setup work? what are the advantages/disadvantages
> >to this and what can you guys recommend to make it better? im afraid
> >for the packet filtering router that sits between the different
> >switches because it would mean a single point of failure and if it
> >goes down, whole netwrk will go down!
> >
> >2. how can we allow www server in the dmz to access the backend in one
> >of the trusted networks? vpn or by proxy perhaps? please give ideas on
> >how to set this up.
> >
> >3. where should we put domain controllers and dhcp servers? we are
> >thinking of putting them in each of the different LAN segments...
> >
> >
> >thanks for any comments
>
> You probably shouldn't have your packet filtering router do your VLAN
> routing for you. Call it a "firewall", and let it do only that. Then
> you'll get:
>
> Internet---BR---DMZ---FW---LAN
>
> You should treat this as two separate jobs. One is reorganizing your
> internet connection, the second is reorganizing your internal LAN.
>
> You can allow the WWW server to gain access through the firewall to get
> to the backend. The rule to allow it just has to be very specific. Or,
> you could have another backend server in the DMZ that queries the real
> backend on the LAN. Then it alone can have access to the LAN. In the
> event that the webserver is compromised, there won't be a direct path
> into your LAN...
>
> For your LAN solution, you could do this with VLAN, or simply with
> multiple separate switches all connected to a very fast router with many
> ports. The Cisco 3550 switch can do that routing for you much faster
> than many routers...
>
> One idea would be to use some Cisco 2950-48's for the LANs, all
> connected with GigaStack stacking GBIC connectors, and have one Cisco
> 3550-12T to provide Ethernet gigabit connections to servers. Or, you can
> go with the 3550-24 SMI (much cheaper) if you don't need any ethernet
> gigabit connections. Connect them like this:
>
> |---
> Switch1 |
> | |
> Switch2 |
> | |
> Switch3 |
> | |
> Switch4 |
> |---
>
> Although it look like a loop (and it is), STP will ensure that one path
> gets disabled, and it'll only be enabled in the event that one uplink or
> switch fails. Have the Gigabit connectors trunked (part of all VLANs),
> and have switch4 (the 3550) do the VLAN routing for you.
>
> You can put your servers on it's own VLAN, and have the DHCP server give
> out several ranges of IP addresses (one range for each VLAN). The use of
> an ip-helper-address on the switch (essentially, giving the DHCP
> server(s) virtual IP addresses on each VLAN) will allow all clients on
> any VLAN to see the DHCP server(s).
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

Hi again, in the dmz, we plan to put a mail server, www server (load
balancer next time), an IDS...any problems with these? also, where
should we put the dhcp servers... in the dmz? or one dhcp server per
vlan? is a vlan==subnet (i.e. network segment)?

thanks

Relevant Pages

  • Re: need comments on proposed network archtecture-correct diagram this time
    ... >lotus notes) that www server will need to have access to. ... >thinking of putting them in each of the different LAN segments... ... You probably shouldn't have your packet filtering router do your VLAN ... Have the Gigabit connectors trunked, ...
    (comp.security.firewalls)
  • Re: VPN vs. VLAN
    ... Yea I didn't want to get into semantic wars about what a "VLAN" is; ... listening in on the same network as the LAN router's DHCP daemon). ... The LAN Router between the IP Segments needs to be configured to forward ... DHCP Queries to the DHCP Server. ...
    (microsoft.public.win2000.networking)
  • Re: smbclient timeout, file truncated / 9.1 Pro (was Re: libpopt.so.0 conflict...
    ... >and the OS/2 machines on the LAN. ... NETBEUI was invented to allow windows clients to use an OS/2 server. ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
    (alt.os.linux.suse)
  • Re: Indirect synchronization setup with no synchronizers on servers
    ... Replica Manager to be installed at all. ... trust any LAN, except the LAN where the file server is that stores my ... remote PCs have synchronizers but the server does not. ... There is no difference between a synchronizer operating on replicas ...
    (microsoft.public.access.replication)
  • Re: Possible to secure WEP?
    ... It doesn't have to be a "server". ... this IP cannot be in the same class C IP block as your own LAN. ... To keep it simple, my gateway router, ... Ethernet adapter Local Area Connection: ...
    (alt.internet.wireless)