Also, put your management/service controllers on a separate network from the servers themselves. If you have distinct hardware teams, then split it up by hardware team. This makes us feel better about running things that still depend on Windows 2000 or telnet to manage them (yes, I'm ashamed to say that we have things like that, and no, we can't get rid of them because of $VENDOR).
Skylar On Fri, Jan 15, 2016 at 4:07 PM, Atom Powers <[email protected]> wrote: > +1 for team/department/project subnets. When you organize your network > like you organize your people then you reduce the effort and risk of making > changes. > > > On Fri, Jan 15, 2016, 14:54 Ski Kacoroski <[email protected]> wrote: > >> Hi, >> >> I am part of a smallish (16 people) IT group and we are planning to redo >> our network layout. Currently we have a very simply layout with a >> different class B for each of our 34 sites (e.g. site1 10.191.0.0, site2 >> 10.172.0.0) with a few subranges defined. This part I have pretty well >> figured out based on the network topology and services. >> >> The part I cannot figure out is what is the best practice for our >> datacenter. We currently break up subnets by type of machine (linux, >> windows, blackbox, etc.). The problem is that anyone on our network has >> access to any server which is suboptimal. What I want to do is limit >> access to servers and server ports to the groups who need that access. >> >> I can see two ways to do this with my current set up: >> >> #1: I have an F5 BigIP and could set up vips for each server and then >> have everything go through the F5. Pluses are that it would log all >> accesses and make block all other ports to the server. I would put the >> server team client machines onto a separate management network so they >> have direct access to the servers. Downside is setting this all up and >> maintaining it. >> >> #2: Set up separate networks for each groups client machines (server >> team network team, database team, technology team), set up their servers >> on separate vlans, and only allow them access to their servers. Pluses >> are once this is set up I only have to make sure the server is in the >> correct vlan for the group to have access to it. I would use the F5 to >> allow public access to applications running on the servers. Downside is >> I have to make sure their client machines are on the correct vlans. >> >> I am wondering what you have done and what you would do differently if >> you had another chance? >> >> Thanks for your time. >> >> cheers, >> >> ski >> >> -- >> "When we try to pick out anything by itself, we find it >> connected to the entire universe" John Muir >> >> Chris "Ski" Kacoroski, [email protected], 206-501-9803 >> or ski98033 on most IM services >> _______________________________________________ >> Discuss mailing list >> [email protected] >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ >> > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
