[Tfug] Network partitioning

Sat Nov 2 03:08:18 MST 2013

Hi Tyler,

On 11/2/2013 2:33 AM, vaca at grazeland.com wrote:
> Potato, po-tah-to here.  Your "domains and router" are in actuality
> my "VLANs with routing between them."

Understood.  But, would you push a VLAN approach on folks who
have no IT department?  Or, a "hardware" (-ish) solution where
they just "know" to plug THIS into THAT if you want THIS to
talk to THAT; otherwise, plug it into THEOTHERTHING?

Putting a (cheap?) preconfigured 4 port router on a shelf seems
a bit safer than a set of preconfigured switches (with detailed
instructions as to how they would have to be used -- "Ports 1-6
are A; port 7 is B; ports 8-16 and 1-4 on the second switch are
C; ..." along with warnings like "If a port on a switch fails,
be sure to pick a replacement port that is in the same group -- not
all ports are interchangeable")

> The "pre-configured" ports A,B, etc are really pre-built "ACLs."

Of course!  But you either put them in a 4 port switch (which brings
you back to my "router" solution) *or* distribute them throughout your
fabric (or -- *gasp* -- hosts!).

> I tend to think of just doing it all on one device and letting the
> configuration drive everything versus your approach which would be
> more old-school.

Put it all in one device means one *big* (not so cheap) switch.
I am hoping to leave the choice of switches, etc. unconstrained
for the future.  I'd hate to say, "buy another 48 port switch
like this one and keep it on the shelf -- just in case".  Then,
shrug when asked "What happens when we need more ports?"

> Instead of VLANs, you have true separate LANs.

Yes.

> This requires more hardware and isn't as scalable or flexible.

Yes.  But it is also a lot easier for non-technically-inclined
folks to manage thereafter!  Need more ports on A?  Buy a bigger
switch (or cascade).  The 4 port router (and its configuration!)
remains unchanged.  (sure, you can hang another switch on a
VLAN switch but then why use anything bigger than 4 ports for
that VLAN switch?)

I'm stingy with my time.  I don't like coming up with solutions
that are likely to require my presence to keep them running  :-/

> Either way you can preconfigure everything and make it either simple
> or complex at your own discretion.  This is also a pretty "standard"
> or "normal" way of accomplishing your goals, so you would have a lot
> of choices and folks that can help you.

I was actually hoping that someone made a *turnkey* solution as
this sort of partitioning seems like it would be fairly common
(A and D being internal and public networks; C shared resources
available to anyone on those networks; D being exposed devices)
I.e., an "appliance".

> Hope this helps clarify.

Thx!
--don