Re: [lopsa-discuss] Network Layout Question

Fri, 15 Jan 2016 18:55:49 -0800 

+1 for vlans
If you have a server that needs to be part of multiple and you kill want to keep things mostly separated, you can use vlan tagging on that server to be local on each subnet. 

On 1/15/2016 5:53 PM, Ski Kacoroski wrote:

Hi,


I am part of a smallish (16 people) IT group and we are planning to 
redo our network layout.  Currently we have a very simply layout with 
a different class B for each of our 34 sites (e.g. site1 10.191.0.0, 
site2 10.172.0.0) with a few subranges defined. This part I have 
pretty well figured out based on the network topology and services.



The part I cannot figure out is what is the best practice for our 
datacenter.  We currently break up subnets by type of machine (linux, 
windows, blackbox, etc.).  The problem is that anyone on our network 
has access to any server which is suboptimal.  What I want to do is 
limit access to servers and server ports to the groups who need that 
access.


I can see two ways to do this with my current set up:


#1: I have an F5 BigIP and could set up vips for each server and then 
have everything go through the F5.  Pluses are that it would log all 
accesses and make block all other ports to the server.  I would put 
the server team client machines onto a separate management network so 
they have direct access to the servers. Downside is setting this all 
up and maintaining it.



#2: Set up separate networks for each groups client machines (server 
team network team, database team, technology team), set up their 
servers on separate vlans, and only allow them access to their 
servers.  Pluses are once this is set up I only have to make sure the 
server is in the correct vlan for the group to have access to it.  I 
would use the F5 to allow public access to applications running on the 
servers.  Downside is I have to make sure their client machines are on 
the correct vlans.



I am wondering what you have done and what you would do differently if 
you had another chance?


Thanks for your time.

cheers,

ski



_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/






















					Reply via email to