Networking advice
Leonard Isham
leonard.isham at gmail.com
Wed Jan 19 22:23:14 UTC 2005
On Wed, 19 Jan 2005 16:15:56 -0500 (EST), ranbir sandhu
<m3freak at rogers.com> wrote:
> Hi all,
>
> I'm not a networking expert or even "the network guy",
> and thus I am running into a problem figuring out how
> to improve the network at my new office.
>
> The business centre I'm in is sharing a DSL connection
> with one dynamic IP between 19 tenants (simple
> Linksys/Dlink type of router). Besides the obvious
> security problems, this makes it very difficult for
> tenants to host their own servers, including me.
>
> Along with changing the ISP to one that can provide
> static IPs, here's what I'm thinking of suggesting:
>
> Internet --> DSL Modem --> Hub/Switch
> | |
> Router1 Router2
> | |
> Switch Tenant
> | That
> Tenants Cares
> That
> Don't Care
>
> Router1 would have a static IP. Like it says, tenants
> that want a simple Internet connection would
> essentially receive the same service they have now.
>
> Router2 would be assigned another static IP.
> Additional tenants could easily be accommodated with
> more static IPs and routers. Firewalls etc. would be
> the responsibility of the tenant.
>
> The obvious problem with this is that if a simple
> switch or even a hub is used after the DSL modem, the
> business centre won't be able to control the traffic
> (i.e. prioritize and/or control bandwidth use). One
> tenant could use up the entire pipe, for example.
>
> I've considered dropping in a machine running mOnOwall
> to help solve the traffic shaping issue. Also, I've
> read that mOnOwall can transparently firewall/bridge:
> this would make it very easy to assign static IPs to
> those that want them. But, I don't know how many
> routes it can accomodate.
>
> Is the above approach a good one? How else would
> something like this be handled?
>
> Incidentally, I've spent quite a bit of time reading
> up on layer 2/3 switches, VLANs etc., but I still
> haven't figured out if plugging the modem directly
> into a switch is the right thing to do.
>
Here is what I'd do ( I have a porposal submitted to do this for a
medical complex).
Internet
|
DSL Modem or Internet Router
|
Firewall----Tenant-2
|
Tenant-1
Firewall each tenant from the other tenants. Give each tenant a
different RFC 1918 address range. Use a Switch capable of trunking,
and a Ethernet card capable of trunking in the firewall to allow
multiple VLANs on one physical connection.
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list