OT-hijacked. . .Re: [K12OSN] Solving the bandwidth bottleneck
Jim Kronebusch
jim at winonacotter.org
Wed May 11 13:45:50 UTC 2005
I hear you Doug, if it ain't broke don't fix it.
But typically in a situation like yours you would head off your massive
network with one router and multiple IP's. Then offer only private
internal IP's to all of your equipment on the private side of the
router. If any device needs external access then you would NAT the
external IP to the internal IP and allow the needed ports (this is also
a good security measure). Then if you want to have multiple internal
networks you have to my knowledge, and still follow rules, three
options.
1. Have multiple internal interfaces on your router each assigned a
different internal network (ie: eth0 192.168.0.x-255.255.255.0, eth1
192.168.1.x-255.255.255.0, eth2 10.0.x.x-255.255.0.0, etc). I for one
prefer the 10.0.x.x-255.255.0.0 for an internal range is it gives you
the option of 253 networks and about 65,000 clients. And then have each
of those interfaces feed their own network segment completely
independent of all other networks. However for you this requires extra
wiring that it sounds like you don't have available.
2. Get a router that can handle VLANs. These are "virtual" lans. You
will also need switches that can handle VLANs. With this type of setup
you can decide what networks "trunk" down wiring room cross connects.
And you can physically assigne each and every individual port its own
network. You could have 3 offices from 8 different buildings look like
they are wired on their own private lan. Since these are smart devices
they know how to handle ARP, OSPF, broadcasts, whatever without getting
confused. But these can be fairly high cost.
3. Subnetting. This should basically accomplish what you achieve with
VLANs but with a lot more maintainance headache, number crunching, and
not quite as clean. VLANs offer more managability and less network
overhead. But if your on a budget this could be the best option.
Everything has rules but as we all know from growing up breaking certain
rules has more consequenses than others. Some networking rules are
probably silly, but some prevent underlying problems that may not be
visible without a lot of patience and a good network sniffer.
Either way I am sure you won't change since what you have is working and
a change would likely cause massive reconfiguration, time, and usually
with that comes money. But just remember this doesn't exactly follow
protocol and you may have/always had problems that you just don't know
about.
> >On Tue, 2005-05-10 at 23:10, Doug Simpson wrote:
> >
> >
> >
> >>So, how then do you get the ability to put public and private IP
> >>addresses on the same physical wire?
> >>
> >>
> >
> >Usually that is something you want to avoid. You can
> overlay different
> >subnet ranges on the same wire - it's ugly but it works. What people
> >are saying is a bad idea is to connect 2 nics from the same machine
> >onto that network.
> >
> >
> But unless you want to run two completely different networks
> (physical
> plant wiring) all over the campus, to 5 buildings and 150 rooms . . .
>
> >
> >
> >>For example, a Printer in the office has a JetDirect in it and is
> >>available on a public IP address, and connected to a small switch.
> >>Another port on that switch is connected to a workstation
> that gets it's
> >>IP address via DHCP (a private number).
> >>
> >>
> >
> >If you really want a public address on the printer, let
> something route
> >your private addresses there.
> >
> It has a public IP because our state-wide comouter network, used for
> student data dna administration, printe through local printers, and
> therefore, requires publicly available IP number (we have
> many of such
> units.)
>
> >
> >
> >
> >>From what I gather, it would be required to run individual
> cables for
> >>each IP range to every connection so that the public and
> private would
> >>always be separate.
> >>
> >>
> >
> >Usually you let the k12ltsp box act as a NAT router for the private
> >range on it's 'inside' NIC - and a server for the printers.
> >
> It does this, but both ranges are on the same set of wires.
> I will have
> to go examine and make sure that both NICs are on different switches,
> but they are on the same physical network, even if they are
> on separate
> switches.
>
> >
> >
> >
> >>Let's say the workstation mentioned above is set up to
> dual-boot, and
> >>get's it's IP when booted as a LTSP terminal from the DHCP on the
> >>private range NIC.
> >>
> >>But, this same workstation, when run in Winders, requires a
> public IP
> >>address. Then what do you do? Change the cable each time
> you want to
> >>use the other OS? Unhandy! Especially for users!
> >>
> >>
> >
> >Why does it need a public address? Unless it is acting as a
> server (in
> >which case you would probably leave it on all the time
> instead of dual
> >booting...) it should get along fine with a private address NATed
> >through the k12ltsp server. Or, if you have enough public
> addresses to
> >split into subnets, the 2nd k12ltsp NIC could be a public branch and
> >you could turn off NAT.
> >
> >
> The state-wide network requests that computers that access it for
> administration and student data have public IP numbers for
> troubleshooting efficiency. I do have some that are on
> private IPs and
> they work fine, too though.
>
> >
> >
> >>So far, having two NICs on the same switch hasn't seemed to
> adversely
> >>affect it . . .
> >>
> >>
> >
> >Aside from normally wanting the firewalling from the public/private
> >split, the main problem most people would have with your
> scheme is that
> >you are leaking private DHCP addresses onto all of the connected
> >networks. If you have static-assigned all of the public
> addresses it
> >won't matter, but it wouldn't work most places.
> >
> >
> >
> All of the public IP addresses are assigned, and nearly all of the
> private numbers are DHCP. There are a few, like lab servers
> and private
> printers that have private numbers assigned.
>
> This has been working seemingly flawlessly for 4 years, with over 700
> computers connected. . . It may be wrong, but I don't have
> much trouble
> with it. . .
>
> It is nice because it don't matter what kind of device I am
> connecting,
> a public printer, private workstation, private server,
> private printer,
> LTSP terminal, public workstation, whatever, I can connect it and it
> just works, all on the same wire. . .
>
> Doug
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
> --
> This message has been scanned for viruses and
> dangerous content by the Cotter Technology
> Department, and is believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by the Cotter Technology
Department, and is believed to be clean.
More information about the K12OSN
mailing list