1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IP addressing and DHCP plan

Discussion in 'Networking' started by qwerty92, Jan 24, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. qwerty92

    qwerty92 Thread Starter

    Joined:
    Jan 24, 2016
    Messages:
    2
    I have the following scenario:

    • A LAN of 30 workstations, 1 file server, 1 mail server.
    • A second LAN of 10 workstations and 1 file server.
    • A way to connect the 2 LANs together and connect them to the internet.
    • Static routing, providing connections from all computers to the Internet.
    • The internal mail server must be accessible from the internet.
    • A way to server visitors, giving them access to the internet when they plug-in their computer, only from the first LAN.
    I have already made a basic network diagram but I don't know how to design the

    • IP settings of the network design.
    • Tables of open ports and services, for those hosts that will have any.
    • Routing tables for any routers.
    • Table with NAT settings, if any.
    • Table with DHCP settings.
    I'm a programmer and I'm a trainee in an IT department. Unfortunately the network admin is on vacation and I have to design this and present it to the IT manager. So, any help is more than welcome.
     
  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,954
    Don't take any offense to this, but if your IT manager asked a programmer with no experience designing networks to do this project...your manager is a total idiot. Why the rush to get this designed? The network admin is only on vacation. This should wait till he gets back. That's why they hired him. I know I would not be happy if I went on vacation and someone stepped in that isn't even qualified to do my work built out something I am going to be responsible to support.
     
  3. qwerty92

    qwerty92 Thread Starter

    Joined:
    Jan 24, 2016
    Messages:
    2
    That's an another topic.. See, the small company I work for in in Greece and it's a common practice dumping the work of one to another..
    You're definitely right on what you're saying...
    Thank you for your advice, but me saying this to my employer is not an option.



    So far I've made this:

    http://i.imgur.com/je4A7Bi.png

    All I need is someone who is an expert in small-mid office networks to translate this scenario to ip addresses, ip range, subnets, a basic routing table etc.

    For someone else it may be a 15min work, for me it's impossible..
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,954
    This project isn't that hard for anyone with any networking experience. The approach will be dependent on the equipment you are using. On my home network I use a couple of firewalls; a SonicWall TZ400 and a Cisco ASA 5505. Both are set up to do NAT and both support multiple subnets. The SonicWall has 7 internal subnets defined on it and the Cisco has 13 subnets. The way I see it, you should use 4 subnets. Two for the workstations you separated by the switches (assuming the grouping of the workstations by the switches implies you want to keep them separate) and one subnet each for the servers you have separated by switch domains.

    The reason why you want the servers separated is because you don't want to allow unfettered access to the servers when they're attached to the same layer 2 network as the workstations. The reason why you want the servers on a different subnet is to allow the use of firewall rules to control how people/devices gain access to the servers. This also brings up another discussion. You should definitely be using a managed typed switch for this. You want those servers logically separated via the use of VLANs.

    This is how I always approach creating subnets. I use the third octet in the IPv4 schema to define subnet groupings. So the one group of workstations would have say .50.x as their subnet. The second would have .51.x as their subnet. The two servers on the one switch would have .30.x and the last server would have .31.x. The selection of the subnet schema has to mean something to you. That's why the IT manager should not be a manager and needs to find another job. There's as much art as there is science in building out networks. How I do it can be totally different than how someone else does it.

    DHCP can be handled by the central firewall. Both of my firewalls act as DHCP servers on multiple subnets.

    There is no need for any configuration of the firewall's route tables. All the subnets are configured on the firewall as this will be the default gateway for all the subnets you define. Since the firewall is handling all the routing for all subnets, all the subnets are locally attached and the firewall is aware of how to move packets between subnets.

    The NAT policy you would use for all of the subnets to get out to the Internet would be a NAT overload or from Cisco's standpoint a PAT (port address translation) rule. You are defining a NAT policy which has an entire subnet mapped to a single external IP address; in this case the external address is the ISP provided public IP. You have to follow up with a NAT exemption rule to allow specific routing between subnets. If you don't do this, the firewall will not know how to handle traffic between internal subnets. For the email server to be accessible externally, the best situation is to get a unique public IP from your ISP for this purpose and do a static one to one NAT. This will allow you to build specific firewall policies and minimize any possible misconfiguration issues with the rest of the network.

    And as far as guest access, you really want to have a fifth subnet and isolate that part on a separate VLAN. If you're intent on using a wired connection for guest access, you would need to use 802.1x which is a feature of managed switches and a NAC (network admission control) device to coordinate all of this. What will happen when this is all configured is if the device plugging in to a switch port is not known or authenticated to the network, it will be placed into a VLAN set by policy, in this case the guest VLAN. Wireless makes things a bit more easier as you can define a specific guest SSID.

    There are a ton of other considerations which I haven't even touched on which are going to be specific to the environment you're deploying this in. And I'll say it again, your manager needs to find another job expecting someone without networking experience to put this together especially since he has a network admin on staff already.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1164788

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice