[Tfug] Network partitioning

Sat Nov 2 07:11:22 MST 2013

You want to configure routing and ACLs on a router but think VLANs are too confusing.  That's your call, but you're really talking about the same level of knowledge for the most part.  You say you want something built for this purpose, well there you go.  You will need a routing an ACL capable router and a pile of generic switches or you will need one switch that can do it all.  Either way you have to know which switch is on what LAN or what ports are on each LAN.   Either solution works fine but some configuration and knowledge will be needed in either case.  

The bottom line is this: You want something more complicated than a normal home LAN so you are going to have to increase the level of involvement and knowledge.

On Nov 2, 2013, at 3:08 AM, Bexley Hall <bexley401 at yahoo.com> wrote:

> Hi Tyler,
> 
> On 11/2/2013 2:33 AM, vaca at grazeland.com wrote:
>> Potato, po-tah-to here.  Your "domains and router" are in actuality
>> my "VLANs with routing between them."
> 
> Understood.  But, would you push a VLAN approach on folks who
> have no IT department?  Or, a "hardware" (-ish) solution where
> they just "know" to plug THIS into THAT if you want THIS to
> talk to THAT; otherwise, plug it into THEOTHERTHING?
> 
> Putting a (cheap?) preconfigured 4 port router on a shelf seems
> a bit safer than a set of preconfigured switches (with detailed
> instructions as to how they would have to be used -- "Ports 1-6
> are A; port 7 is B; ports 8-16 and 1-4 on the second switch are
> C; ..." along with warnings like "If a port on a switch fails,
> be sure to pick a replacement port that is in the same group -- not
> all ports are interchangeable")
> 
>> The "pre-configured" ports A,B, etc are really pre-built "ACLs."
> 
> Of course!  But you either put them in a 4 port switch (which brings
> you back to my "router" solution) *or* distribute them throughout your
> fabric (or -- *gasp* -- hosts!).
> 
>> I tend to think of just doing it all on one device and letting the
>> configuration drive everything versus your approach which would be
>> more old-school.
> 
> Put it all in one device means one *big* (not so cheap) switch.
> I am hoping to leave the choice of switches, etc. unconstrained
> for the future.  I'd hate to say, "buy another 48 port switch
> like this one and keep it on the shelf -- just in case".  Then,
> shrug when asked "What happens when we need more ports?"
> 
>> Instead of VLANs, you have true separate LANs.
> 
> Yes.
> 
>> This requires more hardware and isn't as scalable or flexible.
> 
> Yes.  But it is also a lot easier for non-technically-inclined
> folks to manage thereafter!  Need more ports on A?  Buy a bigger
> switch (or cascade).  The 4 port router (and its configuration!)
> remains unchanged.  (sure, you can hang another switch on a
> VLAN switch but then why use anything bigger than 4 ports for
> that VLAN switch?)
> 
> I'm stingy with my time.  I don't like coming up with solutions
> that are likely to require my presence to keep them running  :-/
> 
>> Either way you can preconfigure everything and make it either simple
>> or complex at your own discretion.  This is also a pretty "standard"
>> or "normal" way of accomplishing your goals, so you would have a lot
>> of choices and folks that can help you.
> 
> I was actually hoping that someone made a *turnkey* solution as
> this sort of partitioning seems like it would be fairly common
> (A and D being internal and public networks; C shared resources
> available to anyone on those networks; D being exposed devices)
> I.e., an "appliance".
> 
>> Hope this helps clarify.
> 
> Thx!
> --don
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org