We do #2 as well, with about 16 /16 subnets. Works fine for our purposes (5-person team, ~750 hosts).
Skylar On Fri, Jan 15, 2016 at 3:01 PM, Patrick M. Landry <[email protected]> wrote: > We do #2. Each user group is on a separate subnet. Each server allows only > those groups (subnets) access via firewall. All controlled with puppet > profiles. Very straightforward and easy to maintain. Only limitation is > that you have to trust entire groups not individuals. You can split the > group subnets up further to allow subgroups but we decided against that. > > -- > Patrick Landry > Director, UCSS > > > > On Fri, Jan 15, 2016 at 2:53 PM -0800, "Ski Kacoroski" < > [email protected]> wrote: > > > Hi, > > I am part of a smallish (16 people) IT group and we are planning to redo > our network layout. Currently we have a very simply layout with a > different class B for each of our 34 sites (e.g. site1 10.191.0.0, site2 > 10.172.0.0) with a few subranges defined. This part I have pretty well > figured out based on the network topology and services. > > The part I cannot figure out is what is the best practice for our > datacenter. We currently break up subnets by type of machine (linux, > windows, blackbox, etc.). The problem is that anyone on our network has > access to any server which is suboptimal. What I want to do is limit > access to servers and server ports to the groups who need that access. > > I can see two ways to do this with my current set up: > > #1: I have an F5 BigIP and could set up vips for each server and then > have everything go through the F5. Pluses are that it would log all > accesses and make block all other ports to the server. I would put the > server team client machines onto a separate management network so they > have direct access to the servers. Downside is setting this all up and > maintaining it. > > #2: Set up separate networks for each groups client machines (server > team network team, database team, technology team), set up their servers > on separate vlans, and only allow them access to their servers. Pluses > are once this is set up I only have to make sure the server is in the > correct vlan for the group to have access to it. I would use the F5 to > allow public access to applications running on the servers. Downside is > I have to make sure their client machines are on the correct vlans. > > I am wondering what you have done and what you would do differently if > you had another chance? > > Thanks for your time. > > cheers, > > ski > > -- > "When we try to pick out anything by itself, we find it > connected to the entire universe" John Muir > > Chris "Ski" Kacoroski, [email protected], 206-501-9803 > or ski98033 on most IM services > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
