Solved

Routing between two different subnets

Posted on 2004-04-26
14
940 Views
Last Modified: 2010-03-18
I am running a Windows 2000 Server environment with Win 2000 and XP clients.
We have one physical network with a set of public IP address's e.g 101.1.9.1 - 101.1.9.254 we recently ran out of these address and so have been assigned another subnet 101.1.12.1 - 101.1.12.254. We wish to use both subnets but I am unsure of the best way to connect the two. We have a choice of either using one of our exiasting fileservers to do the routing or we have a Layer 3 switch which I have been told could possibly do it also.
Which would be the best solution to use - I have been told that using the server for routing may cause problems by putting to much load on the server.

Thanks

Andrew
0
Comment
Question by:NetAdmin_UK
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 16

Expert Comment

by:JammyPak
ID: 10918441
Not exactly answering your question, but is there any reason why every machine needs to have a public address?

My recommendation would be to use private addressing...say, a Class B 10.1.x.x (giving you 65000+ addresses) and then use a firewall or proxy to access public sites on the 'net.

0
 

Author Comment

by:NetAdmin_UK
ID: 10918548
Unfortunately yes we have to have public IP's as we have a WAN link to other offices with access controlled by IP address.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10918600
You can use private IP's over a WAN environment.  I assume you have routers at each site?  If so, the routers can be set for the public IP addresses, and resolve all the clients to a single address...unless, of course, you're saying that you need to control individual computer access between sites, then I can see the need.  Perhaps some kind of control utilizing MAC addresses can be considered...?

To answer your question...you should purchase a router.  Doesn't have to be anything fancy, but it really is your best option for combining to seperate ranges.  It'll make administration easier down the road.  Some fairly inexpensive routers that would do the trick nicely for you are Netopia routers.  I've not had any problems with them...I prefer Cisco, of course, but you're looking at a cost issue there.

James
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:NetAdmin_UK
ID: 10918648
Yes we need to control individual access between sites. Plus Company policy says we must use these IP's.
We were considering a router but I have read that a 'Layer 3' switch (which is what all  our switches are) operates the same as a router so I figured this would be the best option.
0
 
LVL 9

Accepted Solution

by:
jamesreddy earned 125 total points
ID: 10918710
Ummm...no...not really.  Layer 3 routers are not the same as routers at all.  Yes, they can be used to combine subnets, but over a WAN link?   That's a major security risk....

In any event, I found the following article on EE that seems to agree with that assessment (yours, that is).  Given the information I get from here, I am inclined to believe that the Layer 3 switch would suit your purposes.  We have layer 3 switches here and I have found them effective at combining subnets, but I would never endanger my network by using it over a WAN link.

http://www.experts-exchange.com/Hardware/Routers/Q_20868261.html

Just my opinion...but here is the link to the article.

James
0
 

Author Comment

by:NetAdmin_UK
ID: 10918901
Okay so Switch should do the job. Not sure I understanf your concern about WAN but this is for internal routing only (within the building) nothing to do with the External WAN link. So didn't think it should be an issue.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10919157
Anything with a public address is subject to security risks...a public address is usually accessible by other means.  For example, when users use the internet, since they all have public IPs, that information is easily identified and opens up your network to a host of security issues.  I router/firewall combo can stop that stuff dead in its tracks.  The Windows XP firewalls should be enabled at a MINIMUM, but it isn't all that effective.

Understand, I used to work for the U.S. Air Force in security, so security is something I get pretty crazy about.  Your network would give me a heart attack, the way it is set up!  :)

So once again...the switch will likely do the trick, but I still highly recommend a router/firewall.

James
0
 

Author Comment

by:NetAdmin_UK
ID: 10919348
We are behind our own firewall. Which is in turn behind the Company firewall so don't think it will be an issue.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10919445
Ok...then nevermind!  :)  Layer 3 switch should do the trick then.
0
 

Author Comment

by:NetAdmin_UK
ID: 10919775
I understand that if we were trying to bridge to separate segments on a network you would bridge 2 ports on the connecting switch. But in my case we are bridging 2 subnets all on the same physical LAN. Can you shed any light on how this is done or am I pushing my luck?
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10919894
What kind of L3 switch do you have?  Make/model.
0
 
LVL 4

Expert Comment

by:kreaganoutsourceditbiz
ID: 10970278
OK, new to the discussion here.

Back to your original question, should you use the server or the switch to do the routing?  I would use the switch, otherwise, when you take your server down, you also literally take your network down.  Modular is good.

OK, here is my take on the subject....

If my workstation needs to communicate with another IP address, it takes that IP address and determines if it is on the same subnet.  If not, it then forwards the request to the default gateway.  The default gateway is then responsible for delivery.  The default gateway then uses a very similar process to determine what to do with the packet.

So, you need a router or a switch with routing functions.  In either case you will need to have two IP Addresses assigned to the device - one from each internal subnet.  It will know what to do with the packet.

The Intel web site has a short page descibing a Layer 3 switch.  It is short and helpful.  I may help you with your needs.

http://support.intel.com/support/express/switches/10/23364.htm
0
 

Author Comment

by:NetAdmin_UK
ID: 11029416
Thanks for the link. We have been given another suggestion which may sort the problem without the need for using a switch or Router.
As we have the two subnets 101.1.9.0 and 101.1.12.0 are thinking about just changing the subnet mask to 255.255.0.0 instead of 255.255.255.0. this seems to work in a test scenario we set up ( i didn't think it would because the way I understand this should not allow any traffic to go outside our network which is on 106.1.x.x) but everything seems okay. I'm sure there will be some disadvantages to doing it this way (maybe speed in finding address which is external?) and just trying to find out about them before implementing it.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 11030976
there are some fairly major impacts of what you're planning to do.

If you change your mask to 255.255.0.0, then you will never be able to communicate with anyone who's public IP addresses are 101.1.1, 101.1.2, 101.1.3....basically anyone on the 101.1 range who's not you. So...if you can't visit certain websites, can send/receive email from certain companies...that will be why.

You *can* change the mask to do what's called 'supernetting' but you need to have a block of contiguous address ranges - which you don't. There's no subnet mask that will work for only .9 and .12 and no other networks.

I really wouldn't do this if I were you.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question