Tuesday, August 18, 2009

For crying out loud

At work today I tried to explain to my boss how two subnets can do and will work on the same hardware network layer... In this case 1000fx,1000tx aka(gig dual mode fiber and gig lan).

I attempted to explain that you can have multiple subnets running across the same cable, just like you can have multiple ip's on the same cable. Either he didn't get it(drawings included) or he just didn't whant to hear my ideas... The odd thing, he was the one wanting the firewall in the server room not me. SO why the resistance? IDK Frustrating at best. He responded in a negative tone, and said we(meaning me) would have to build a test network with a using a router(we don't have) to "prove it".

I think I was pretty patient, except for a comment about this being a basic network principal.

I am getting tired of being treated like an intern as if I just don't have the experience or something. I mean you guys hired me because I have 5+ years of combined networking, programming and unix/linux experience. Not to mention DB classes and a year of on the job training/exp plus three or so years of informal personal DB maintainance. (we had nice-ish words about good DB practices which ended about the same). I can code in plenty of languages, and have made some pretty cool apps over the years. SO when I say I am pretty sure you can do this with a network I MEAN IT!!!!

I did it in about 4 mins with iptables(just to make sure) this after noon. I bound the same card to a virtual interface eth0(192.168.2.x) and eth0:1( Then I changed my desktops ip to the 192.168.4.x subnet. And finally I added some iptables NAT rules to the Linux box and bam I was browsing the internet through my new Linux router... all through the same switch and accross the same ethernet cables. Worked greate, just like the many times I have done this type of networking before.


As a side note, I hate File Maker Pro! It can bairly be called a DB, and has tons of closed source proprietary issues.


The Situatation/Problem
The issue was we have a six pair multimode fiber pulled between our two buildings, only one pair is in use and terminated(1gig). We also have an older single mode fiber that we grew out of which is plenty fast enough for a nine meg internet unprotected connection.(100meg) We want to move our current firewall from it's present location into our(IT) server room. The catch is, we share the internet with our two other plants, both of which are on seperate subnets seperated by a router located in the same room as the firewall.

So each building has a subnet like:

buidling subnets
192.168.1.x (other buildings)
192.168.2.x (the server room and our buildings subnet)
192.168.3.x (seperate firewall subnet)

All are seperated by the router which handles the static routes between subnets. The router is the gateway for both building subnets, and the firwall is in turn the gateway for the router.

Simple works and secure.

My suggested cheap and imediately doable solution:
  • wait to pull the additional gig fiber.
  • move the firwall to the server room.
  • use the existing 100fx fiber for the new unsecured 9 meg fiber internet.
  • run both the secured 192.168.3.x and secured 192.168.2.x on the same main pipe.
  • either us a router to split the subs between the fiber, or just pipe them both into the switch(current). Keep in mind both are secure networks and the firewall controlls internet access so that's not an issue.
  • connect the backup dsl modem to the phone conn in the server room.
  • done.
This shoule work just fine and is relatively secure, and doesn't cost us any additional money for two new switches and the additional termination.

No comments:

Post a Comment