how to ip adress a typical office network
Posted on 2005-03-20
i thought this would be an easy question, but after several hours of googleing, i am giving up and asking the experts. this should be a 101 setup for most small to mid-sized company networks. i am looking for real world explantion / "how to" and not an in-depth discussion on binary, subnetting and routing. first let me introduce the network parts:
1. firewall with multple interfaces like a netscreen 5gt or above
2. foxnet - physically seperate network with its own switch, contains vpn access points and wireless access points ex: 192.168.25.X / 255.255.255.0 i should never have more than 255 access points or vpn clients using these ip address so this class and subnet work fine
3. sheepnet - office workstations, printers etc 172.16.x.x / 255.255.x.x
4. servernet - server farm, files, mail, applications etc 172.16.x.x / 255.255.x.x
obviously the idea is to create a secure network. the part i understand is connecting foxnet and sheepnet to the firewall and setting up rules so foxnet can not access sheepnet. what i am not sure about is how to handle servernet. below are my questions:
1. should sheepnet and servernet be seperated?? if so how??
a. should sheepnet and servernet be seperate physical networks such as 172.16.20.x and 172.16.25.x requiring each network to have its own switch and the firewall to route? the pro would be enabling rules in the firewall between the networks, the cons would be all traffic between workstations and servers would now have to go through the firewall interface, a potential bottleneck.
b. should sheepnet and servernet use the same physical network such as 172.16.5.x and then us seperate subnets? this would elminate the firewall interface bottle neck. but i am not sure how i would ip the server vs the workstation. also i am not sure how to make select clients or servers see both subnets
c. should sheepnet and server net be consolidated into one physical network??? the concern being a workstation with a virus, trojan or spyware could then scan the servers.
hopefully this makes sense. again i am looking for the actual ip and subnet for the server and workstation, not a discusion on bits. i understand the bits, its the real world application that i need.