- Posts: 20
- Thank you received: 0
Separating LAN into two segments
20 years 8 months ago #3085
by nubs
Separating LAN into two segments was created by nubs
Someone help me to understand why you would want to separate your LAN into two segments...one network for the regular traffic...and the other network solely for the administration.
Completely and thorough explanation would be welcome, as well as any links/articles I can get a hand on.
Also, if you implement this 2nd adminstrator network, is it going to duplicate the other network...except for the fact that only administration can use that one? So in essence, your network would be twice as big?!? I am having a hard time trying to picture this in my head. I want to know what additional resources will be needed to create the 2nd network.
thx
nubs
Completely and thorough explanation would be welcome, as well as any links/articles I can get a hand on.
Also, if you implement this 2nd adminstrator network, is it going to duplicate the other network...except for the fact that only administration can use that one? So in essence, your network would be twice as big?!? I am having a hard time trying to picture this in my head. I want to know what additional resources will be needed to create the 2nd network.
thx
nubs
20 years 8 months ago #3093
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Separating LAN into two segments
Could you give me an examlpe of what you mean by administrative traffic as I dont know of a setup like this.. The only thing that I can relate it to is where you place the network administration machines in a separate subnet. This is for security and it makes it easy to write rules on the firewall saying that 'only this subnet can telnet or ssh to the webserver'.
That way you isolate the network that has administrative control over the other machines. Its quite a logical thing to do.
That way you isolate the network that has administrative control over the other machines. Its quite a logical thing to do.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 8 months ago #3094
by MaXiMuS
Replied by MaXiMuS on topic Re: Separating LAN into two segments
nubs , it would be really helpful if you could elaborate more on what precisely do you want to know....
i am not sure there is something known as administrative traffic , but if you are talking about the ability to administer the network using ..say SNMP , then yes you could use a switch to divide the lan but that would be primarily for security purposes as pointed out by sahir. Also the 2 segments will not be replicas of each other , only the administrative machines in 1 segment and the network on the other .....hope this helps
i am not sure there is something known as administrative traffic , but if you are talking about the ability to administer the network using ..say SNMP , then yes you could use a switch to divide the lan but that would be primarily for security purposes as pointed out by sahir. Also the 2 segments will not be replicas of each other , only the administrative machines in 1 segment and the network on the other .....hope this helps
20 years 5 months ago #4268
by n8
Replied by n8 on topic Re: Separating LAN into two segments
It is good practice to have a seperate logical network for administration purposes. Seperating it physically is even better.
Lets say you added an additional 10.0.0.x ip address to all your hosts and network devices. You can restrict access to these devices for administation to 10.0.0.x hosts only. Since 10.0.0.x is one of the IANA reserved IP blocks for lans it cannot be routed normally on the internet. This would restrict admnistration to your local network.
If you did not want to map multiple IP addresses per interface in devices that you want to secure in this way, you could add an additional NIC. This would require an additional link to the switch. If you wanted to seperate the networks logically in a single switch you could associate a seperate set of ports on your switch to a seperate VLAN id. The only catch is, if you wanted to route traffic between the VLANs you would need a router, but if you ask me. Keep it seperate.
I personally have a seperate physical network for all of my core network devices. I have access lists to restrict administation to only a couple of my administation IP addresses. Because my workstation is the only one connected to my administation network, I can be the only one to administer those devices.
Ramble... Ramble..
Lets say you added an additional 10.0.0.x ip address to all your hosts and network devices. You can restrict access to these devices for administation to 10.0.0.x hosts only. Since 10.0.0.x is one of the IANA reserved IP blocks for lans it cannot be routed normally on the internet. This would restrict admnistration to your local network.
If you did not want to map multiple IP addresses per interface in devices that you want to secure in this way, you could add an additional NIC. This would require an additional link to the switch. If you wanted to seperate the networks logically in a single switch you could associate a seperate set of ports on your switch to a seperate VLAN id. The only catch is, if you wanted to route traffic between the VLANs you would need a router, but if you ask me. Keep it seperate.
I personally have a seperate physical network for all of my core network devices. I have access lists to restrict administation to only a couple of my administation IP addresses. Because my workstation is the only one connected to my administation network, I can be the only one to administer those devices.
Ramble... Ramble..
20 years 5 months ago #4274
by TheBishop
The simplest reason to run your administrative interfaces of your network devices over a separate network is that when you have network problems (on your main network) you can still access all your troubleshooting resources to fix them. Try querying SNMP usage stats for a device port across a network which is in the throes of a broadcast storm and you'll see what I mean
20 years 5 months ago #4287
by n8
Replied by n8 on topic Re: Separating LAN into two segments
Well put Bishop. Today I poll my network interfaces through my production network and when I do have a problem my monitors have trouble getting info from the devices. It would be better to run monitoring on the administrative network.
Time to create page: 0.132 seconds