[PLUG] network topology question
Petcher, Danielx J
danielx.j.petcher at intel.com
Fri Sep 12 14:03:01 UTC 2003
> > From: gilmanhunt at comcast.net [mailto:gilmanhunt at comcast.net]
> > Sent: Friday, September 12, 2003 12:49 PM
> > To: PLUG at lists.pdxlinux.org
> > At work, where I handle the firewall for the company, we have two
> > locations connected by
> > a "leased line" dsl; it's all one big unhappy network. Recently,
I've
> been
> > asked to provide
> > info on "if we get a DSL for the other location, how do the
computers
> know
> > which "line" to
> > go out"? In other words; they'll need to split the network up and
add
> > routing etc.
>
> [Daniel Petcher]
> Determining which directions the packets should go is the function of
> your router. There are several different protocols with varying levels
> of sophistication and ease-of-configuration that your routers will use
> in order to communicate with each other. The simplest protocol is
called
> RIP - Routing Information Protocol, but you may wish to take advantage
> of more complex protocols like OSPF - Open Shortest Path First. If
> you're not buying new routers, the capabilities of your existing
routers
> will make this decision for you.
>
> It will be easier to break the network into segments in order for each
> office to prefer its own local Internet connection. You will need some
> sort of a router (or a multihomed computer acting as a router) at each
> office, and if you've got two windows to the Internet, you'll need two
> firewalls to keep naughty folk from tossing a brick through those
> windows.
>
> This looks like the simplest configuration:
>
> Internet ---- DSL Modem --- Firewall A ---- Router A --- Office 'A'
LAN
> |
> |
> |
> DSL Modem
> |
> |
> Private Leased
> DSL circuit
> |
> |
> DSL Modem
> |
> |
> |
> Internet ---- DSL Modem --- Firewall B ---- Router B --- Office 'B'
LAN
>
> Each office's router knows that traffic for the other office should go
> over the private link and traffic for the Internet should go through
the
> firewall.
>
> After you've established the simple scenario, you can optionally add
> complexity: What if office A's Internet access goes down? It would be
> good for the link to failover and pass Office A's Internet traffic
> through the private link and out office B's Internet connection. It
> should also work in the opposite direction. The routers should be
> programmed to handle this for you. Further desirable complexity would
be
> to set-up an encrypted connection between the firewalls through the
> Internet to allow inter-office communication if the leased circuit
> should ever fail.
>
> An additional layer of complexity would be load balancing. If one of
the
> direct routes is congested, it might be faster to take the alternate
> route. Routers can be programmed to handle this for you as well.
>
> You can be your company's own network engineer, but you'll need to do
> some reading to get the needed skills. Alternately, you can hire a
> consultant. I would recommend contacting a network engineer rather
than
> trying to learn to BE a network engineer while you're under the
pressure
> of having to make it all work. A beginner's mistake could endanger
your
> reputation and perhaps your job.
>
> -djp
Three things I neglected to mention above:
-Breaking your network into segments will almost always require changing
the IP addresses of network nodes in one or both offices.
-If your ultimate concern is $$$, the firewall and router functions can
be combined in a Linux computer with three network cards. It takes very
little computing power to route packets.
-If security is your biggest concern, it would be best to separate the
routing and firewalling functions into different boxen.
More information about the PLUG
mailing list