Good day... Fair enough, yes, it will be compulsary to route. The problem is just, that the 100+ (even 500 for that matter - the Server room should be able to take up to 1000 PCs at any given time) servers in the server room, will be configured by our clients, and NOT by our staff. Therefor, it is neccessary for us to say something in the lines of: Dear client, your IP address(es) are: 192.168.10.1 -> 192.168.10.8 Subnet mask: 255.255.255.0 Default Gateway: 192.168.1.1 and it should work :) Therefor, having routes on a software level (ie: specifying default gateways or routing table on the software side) won't neccessarily be the awnser. If we perhaps have one client which is crumpy and want to cause problem, he will be able to mess things up in more than one way in the server farm by changing his routing table and the like. To be honest here, I realise this is as a routing matter as routing can be, but I need to have this routing "scheme" forced throughout the entire server farm. Regardless of the number of PCs in the farm, the number of IP addresses, or anything like that. The only reason why the server farm is limited to 1000 PCs (max) at this time, is because we only have enough office space for server cabinets to cater for 1000 PCs. Cabling and all those stuff is sub-floor, so we are not to concirned about having a mess of cables running arround. The importaint thing is that it will work, and that it will be affordable. I realise having a hardware based routing (such as routers and switches and hubs), are expensive, but it is exactly for this reason that we want the solution to be as cost effective as possible. And it must be secure, reliable, and perform... Regards, Chris Knipe Cell: (083) 430-8151 Natural ability has more often attained to glory and virtue, than education without natural ability at all. ----- Original Message ----- From: Jeff Mcadams <jeffm@iglou.com> To: <cgknipe@mweb.co.za>; <linux-net@vger.rutgers.edu> Sent: Saturday, August 05, 2000 2:49 PM Subject: Re: Forced Routing? > Also sprach ksemat@wawa.eahd.or.ug > >I begin to think that maybe instead of a hub you should have a router > >for your networkand have all the servers plugged into it and restrict > >it from forwarding packets from one machine to the other. Now I am not > >very knowledgeable in this so I guess the gurus here can say more on > >this issue. > > Yeah...it does probably need to be routed, one way or another. If your > concern is cost of router ports (with 100's of machines, I can > understand why :) you could consider getting a switch that supports > 802.1q and then run each of your machines into a seperate port on the > switch and then trunk those subnets to the router via VLAN's. You save > on physical port costs on the router, sacrifice only slightly in > security, sacrifice slightly in performance (extra framing overhead in > the router and switch for 802.1q). > > > On Sat, 5 Aug 2000, Chris Knipe wrote: > >> Date: Sat, 05 Aug 2000 07:04:10 +0200 > >> From: Chris Knipe <cgknipe@mweb.co.za> > >> To: linux-net@vger.rutgers.edu > >> Subject: Forced Routing? > >> > >> Hi... > >> > >> I just have a simple question quickly.... (or I hope it will be)... > >> > >> Technically, as I understand it, specifying a default gateway (or a gateway > >> at all) for TCP/IP routing information is irrelvent *IF* the IP addresses > >> are located on the same subnet?? Simple scenario... > >> > >> PC1 <-----> PC2 > >> > >> Both are on the same network, 192.168.1.0/255.255.255.224 > >> > >> Now, in otherwords, PC1 and 2 will know of each other only via ARP cache, > >> and thus, will know that they are directly reachable, and thus not use any > >> gateway information specified in a routing table? Well, I might be right, I > >> might be wrong about this, but the question I have, is a bit more > >> complicated... > >> > >> Say for example, I have a bunch of PCs, all on the same network, all routing > >> via one machine (default gateway)... The network can possibly look > >> something like this... (192.168.1.0/255.255.255.224) > >> > >> PC1 PC2 PC3 PC4 > >> \ | | / > >> \ | | / > >> ------------------ > >> | > >> GATEWAY > >> > >> The question is simply, how can I firewall PC1, 2, 3 and 4 from EACH OTHER, > >> without subnetting them all. If I subnet it, it firstly would mean that my > >> firewall machine would need houndreds of network cards (which is physically > >> impossible - seeing im practice, I'm literally talking 100+ computers in > >> this farm).... Secondly, data from PC1 directed to PC2 WILL NOT be routed > >> by the FIREWLL machine, but will only be broadcasted back to the > >> destination, because of the features and workings of UTP HUBs, and TCP/IP > >> routing.... > >> > >> So how do I get my gateway machine (firewall) to protect the entire server > >> farm from the outside world (this is fairly simple, I just stick a second > >> NIC in it and set the firewall up), but also haev the gateway to protect the > >> machines from each other INSIDE the firewall? > >> > >> Why do I want to do this? We plan on setting up a server farm where our > >> customers will be able to rent dedicated servers from us for their own > >> personal use. Due to the security involved, we need to have all the servers > >> in the same server farm, aswell as haev firewall protection for every > >> machine in the farm from each other. The firewall rules is not that > >> importaint at the moment, because of the fact that the farm will more than > >> likely all be protectd by the same rules, as I stated however, the problem > >> lies in the matter at which we can go about to implement these rules > >> INTERNALLY between the servers in the farm. > >> > >> As far as I know, it is impossible to do. UTP Hubs broadcast all the > >> information received on a port, to all the other ports connected to the same > >> hub. Therefor, all the machines on the same hub, will receive the > >> information. On the other hand, there are a few places doing things like > >> this allready, which means that technically, it MUST be possible... > >> > >> Can one way of doing this perhaps be in the configuration and layout of the > >> physical network (hubs, switches, and cables), perhaps in something like the > >> following scenarion.... > >> > >> SERVER SERVER SERVER > >> | | | > >> HUB HUB HUB > >> | | | > >> ------------------------ > >> | > >> SWITCH > >> | > >> GATEWAY > >> > >> Or will this scenario also allow communications to take place between the > >> servers without their data being checked and firewalled by the gateway > >> firewall? > >> > >> ANY help will greately be appreciated, and I look forward to your replies. > >> > >> Regards, > >> Chris Knipe > >> Cell: (083) 430-8151 > >> > >> Natural ability has more often attained to glory and virtue, than education > >> without natural ability at all. > >> > >> > >> - > >> : send the line "unsubscribe linux-net" in > >> the body of a message to majordomo@vger.rutgers.edu > >> > > > > Noah > >ksemat@eahd.or.ug > > > > > > > >- > >: send the line "unsubscribe linux-net" in > >the body of a message to majordomo@vger.rutgers.edu > > -- > Jeff McAdams Email: jeffm@iglou.com > Head Network Administrator Voice: (502) 966-3848 > IgLou Internet Services (800) 436-4456 - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
