[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Supernet routing

NetworkA 10.10.0.0 /16
RouterA  10.10.20.1

NetworkB 10.10.98.0 /16
RouterB  10.10.20.10

I need to have all PCs on NetworkB to go to a default gateway at 10.10.20.10 while NetworkA uses the gateway of 10.10.20.1.  RouterB will pass all traffic from NetworkB to NetworkA’s router at 10.10.20.1

I’m doing this so that I can use DHCP to ‘tag’ user computers that I want to filter/monitor internet activity on.  Most users are assigned an IP like 10.10.99.1, while those suspected of abusing Internet privileges will get an IP addr like 10.10.98.1  The main router at 10.10.20.1 handles mapping our internal IPs to the proxy server and the router at 10.10.20.10 will simply add an extra step so that I can monitor traffic on that super-net.  I will use DHCP reservations to assign the 10.10.98.x addresses and change the default gateway form 10.10.20.1 to 10.10.20.10

Is this scenario doable and can anyone point me in the right direction?
The router I have available is Cisco's ASA 5505.  

N5EMX
0
N5EMX
Asked:
N5EMX
  • 4
  • 3
  • 2
2 Solutions
 
ArneLoviusCommented:
Perhaps a diagram would be useful to illustrate how these networks work together sharing a /16 across two networks.

0
 
N5EMXAuthor Commented:
0
 
ArneLoviusCommented:
changing the default gateway via a dhcp change means waiting for at least 50% of the lease time for the change to be made, apart from that it seems simple enough. If you traffic monitor box can forward packets, you don't even need routerB, just set the traffic monitoring box as the default gateway.

However, I might do the design slightly differently.

If you split monitoring and filtering into two boxes, or put the filter onto the proxy server, you could then run the monitor on a "span" or "monitor" port on your internal switch and monitor all traffic all of the time and have all traffic go through the filter all of the time.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
N5EMXAuthor Commented:
The problem I'm running into is that I cannot make any changes to the default gateway.  My corporate IT personnel own that box and I can only change what is behind that box.  The idea of using some device to segregate a subset of our network so it can be filtered before it gets to the default router is my issue.  The filter box works by sending a block page to the user, but the default gateway is blocking the block page.  I essentially need to add the filter box in the middle between the subset of private IP addresses and the default gateway that routes out to our single public IP.  

The traffic monitor/filter is a win2008 server and I'm not familiar with routing using this OS.  The last time I tried I only managed to get the server to compete with the default gateway and the network traffic ground to halt.  I only want to add this additional step to the 10.10.98.x ip range, the rest of the network works fine and I will force a DHCP renewal on the computers that will be monitored.

0
 
pwindellCommented:
This doesn't make any sense to me.   You say you have two networks (A & B) yet your diagram shows you have SIX networks (counting the Internet section).

 supernet1
You only need one Router and there is no point in a "Traffic Monitor/Filter" machine when you already have a Proxy server that already does all of that.

Do this:
 drawing32
Do your monitoring/blocking/whatever by using the proxy for that,...that is what proxys do.
0
 
N5EMXAuthor Commented:
Our proxy doesn't give us the granularity of denial that we need.  UserSetA only need to look at WebPageSetA and UserSetB to look at WebPageSetB.  We are trying to deploy Websense WebFilter so that we can have a white list per user, but our configuration is not allowing the filtering server to send its block page to prevent users from surfing outside of their range.
0
 
pwindellCommented:
You may need to verify your attempts with how Websense intends for you to use their product,...but the Websense product would sit on a machine that is plugged into the "Network A" Switch shown in my diagram.

I don't use Websense myself,..but if it behaves as "its own proxy" then all the Users will have to use WebSense as their proxy instead of your real proxy,...then websense would then you your real proxy as an "Upstream Proxy" in what is called a "Proxy Chaining" operation.

If you don't do it correctly you would end up with an infinite proxy chain loop where the users go to the proxy,..then websense,...then back to the proxy,...then back to websense,...,...then back to the proxy,...then back to websense,...,...then back to the proxy,...then back to websense.

Some of the Websense products are specially written for the proxy you actually use and they install on the proxy machine as a "plug-in" to the proxy you are using.
0
 
N5EMXAuthor Commented:
Good suggestions, but no concrete solution to my original question.  Will seek a consultant that can come onsite to asses my needs and show me how to approach this.
0
 
pwindellCommented:
I could probably do more, but I just don't know enough about Websense specifically as a product.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now