[Tfug] Network partitioning

Bexley Hall bexley401 at yahoo.com
Sat Nov 2 00:01:08 MST 2013 

On 11/1/2013 11:01 PM, vaca at grazeland.com wrote:

[top post fixed]

> On Nov 1, 2013, at 9:25 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>
>> I'm looking for quick and dirty way to partition a network
>> to isolate subnets from each other (to varying degrees).
>>
>> In essence:
>> - a group of "internal" machines that need to be able to
>>   talk together
>> - a group of "shared resources"*
>> - another group of machines that don't really need to talk
>>   to each other (though if they did, the world wouldn't end)
>>
>> The shared resources are things like internet connection,
>> printers, file servers, etc.  I.e., everyone probably wants to
>> be able to access these (*though a printer shouldn't be
>> accessible from the internet connection so I guess you'd
>> really want to split into yet another group).
>>
>> What's the simplest "no maintenance" way of doing this?
>> Ideally, via a turnkey appliance (instead of a "real system"
>> added for this role)
>
>VLANs and ACLs would be a simple means of doing this.

I think that requires too much maintenance down the road.
I.e., if a switch is replaced, another printer added, etc.

I was thinking more along the router approach:
- partition the network into the 3 or 4 domains
- write *simple* rules for 4 port router (A can talk to B, etc.)
- hang generic switches on the 4 ports

Then, all you have to remember is:
- anything plugged into switch A can talk to anything in switch C
   (along with everything else in switch A)
- anything in switch D can talk to anything in switch C (C=common?)
   (along with everything else in switch D)
- anything in A or D can talk to switch B
(B being the internet connection, etc.)

A "spare" identical router sitting on a shelf preconfigured is your
sole "critical component" (if a switch dies, just replace it with
another generic switch!)

If the number of devices on A, C or D increases beyond current
capacity, just cascade switches (or buy a larger one).  If you
want to have a publicly accessible *server* (i.e., that can
be accessed from The Internet), hang it on switch B.

This *should* be a simple, low cost solution because there isn't
really much traffic *through* the router (A and D don't talk to each
other; B is inherently bandwidth limited by the WLAN connection;
anything shared on C would tend to be sporadic use (printers,
file server, etc.)

It just seems like the VLAN route means you're always worrying about
reconfiguring appliances/switches when things change/grow.  (?)

More information about the tfug mailing list