From: valianp@southwestern.edu
Date: Fri Aug 06 2004 - 09:54:23 CDT
I agree with robert. though your setup may work in theory, it is not good
practice to have one huge broadcast domain. Its inefficient and doesn't
provide much security or flexibility in the long run.
If you're trying to avoid messy subnet masking then break it down into /24's by
building. If a building needs more than 254 hosts, then break that building up
into floors.
what ever you decide, I would avoid running any server in the same broadcast
domain as your users. Its more secure, efficient and makes better sense
architecturally.
just my two cents.
Quoting Robert Lowe <Robert.H.Lowe@lawrence.edu>:
> R. Duwane Squires wrote:
>
> Hi Duwane,
>
> > I have setup NetReg and it seems to be working fine. However, being
> > relatively new to Linux, I wanted to make sure I have the network setup
> > correct.
> >
> > Here is my setup:
> >
> > We have a firewall in place running NAT so my Valid address range is
> > anything in the 10.0.0.0 class A range. The bogus range that I am
> > using is the 192.168.1.0 class C range.
> >
> > I have on NIC in the NetReg server. Eth0 is setup up with the address
> > of 10.0.0.112, a netmask of 255.0.0.0, and the gateway is 10.0.0.1 (our
> > firewall). Eth0:1 is a virtual network set up as 192.168.1.1, with a
> > netmask of 255.255.255.0 and the gateway points to itself 192.168.1.1.
> >
> > I have not seen much on the list concerning the NIC setup and wanted to
> > know our setup is typical.
>
> So you NetReg box is on the same subnet as your registered/unregistered
> clients? And both are on the same wire? If so, I'd say you're in for
> some unexpected side effects. If not, maybe you'd better "draw" a
> picture for us.
>
> I'd say a typical installation would look like:
>
> +-----------+
> +--------+ | Router |
> | NetReg |--------+(X) |
> +--------+ | (Y) |
> +-----+-----+
> |
> |
> (a) ResNet Subnet
>
> Router inteface Y has a primary address assigned to it in the subnet
> for registered users, and a secondary address for the unregistered
> subnet. The router may be a layer 3 switch. The switch/router takes
> care of forwarding bootp/dhcp requests to NetReg; the packets record
> the address of the originating router interface (giaddr), which helps
> dhcpd decide from which pool to assign an address, along with your
> pool substatements regarding known and unknown clients.
>
> Separating NetReg from the clients is a good thing. Think of broadcast
> traffic, the affects of viruses (ping sweeps, port probes), and simplified
> ACL management at rif-Y for starters.
>
> -Robert
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:47 CDT