+1 for team/department/project subnets. When you organize your network like you organize your people then you reduce the effort and risk of making changes.
On Fri, Jan 15, 2016, 14:54 Ski Kacoroski <[email protected]> wrote: > Hi, > > I am part of a smallish (16 people) IT group and we are planning to redo > our network layout. Currently we have a very simply layout with a > different class B for each of our 34 sites (e.g. site1 10.191.0.0, site2 > 10.172.0.0) with a few subranges defined. This part I have pretty well > figured out based on the network topology and services. > > The part I cannot figure out is what is the best practice for our > datacenter. We currently break up subnets by type of machine (linux, > windows, blackbox, etc.). The problem is that anyone on our network has > access to any server which is suboptimal. What I want to do is limit > access to servers and server ports to the groups who need that access. > > I can see two ways to do this with my current set up: > > #1: I have an F5 BigIP and could set up vips for each server and then > have everything go through the F5. Pluses are that it would log all > accesses and make block all other ports to the server. I would put the > server team client machines onto a separate management network so they > have direct access to the servers. Downside is setting this all up and > maintaining it. > > #2: Set up separate networks for each groups client machines (server > team network team, database team, technology team), set up their servers > on separate vlans, and only allow them access to their servers. Pluses > are once this is set up I only have to make sure the server is in the > correct vlan for the group to have access to it. I would use the F5 to > allow public access to applications running on the servers. Downside is > I have to make sure their client machines are on the correct vlans. > > I am wondering what you have done and what you would do differently if > you had another chance? > > Thanks for your time. > > cheers, > > ski > > -- > "When we try to pick out anything by itself, we find it > connected to the entire universe" John Muir > > Chris "Ski" Kacoroski, [email protected], 206-501-9803 > or ski98033 on most IM services > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
