Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Separating LAN into two segments

Separating LAN into two segments 12 years 8 months ago #3085

  • nubs
  • nubs's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Someone help me to understand why you would want to separate your LAN into two segments...one network for the regular traffic...and the other network solely for the administration.

Completely and thorough explanation would be welcome, as well as any links/articles I can get a hand on.

Also, if you implement this 2nd adminstrator network, is it going to duplicate the other network...except for the fact that only administration can use that one? So in essence, your network would be twice as big?!? I am having a hard time trying to picture this in my head. I want to know what additional resources will be needed to create the 2nd network.

thx
nubs
The administrator has disabled public write access.

Re: Separating LAN into two segments 12 years 8 months ago #3093

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Could you give me an examlpe of what you mean by administrative traffic as I dont know of a setup like this.. The only thing that I can relate it to is where you place the network administration machines in a separate subnet. This is for security and it makes it easy to write rules on the firewall saying that 'only this subnet can telnet or ssh to the webserver'.

That way you isolate the network that has administrative control over the other machines. Its quite a logical thing to do.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Separating LAN into two segments 12 years 8 months ago #3094

  • MaXiMuS
  • MaXiMuS's Avatar
  • Offline
  • Distinguished Member
  • Posts: 111
  • Karma: 0
nubs , it would be really helpful if you could elaborate more on what precisely do you want to know....

i am not sure there is something known as administrative traffic , but if you are talking about the ability to administer the network using ..say SNMP , then yes you could use a switch to divide the lan but that would be primarily for security purposes as pointed out by sahir. Also the 2 segments will not be replicas of each other , only the administrative machines in 1 segment and the network on the other .....hope this helps
The administrator has disabled public write access.

Re: Separating LAN into two segments 12 years 5 months ago #4268

  • n8
  • n8's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
It is good practice to have a seperate logical network for administration purposes. Seperating it physically is even better.

Lets say you added an additional 10.0.0.x ip address to all your hosts and network devices. You can restrict access to these devices for administation to 10.0.0.x hosts only. Since 10.0.0.x is one of the IANA reserved IP blocks for lans it cannot be routed normally on the internet. This would restrict admnistration to your local network.

If you did not want to map multiple IP addresses per interface in devices that you want to secure in this way, you could add an additional NIC. This would require an additional link to the switch. If you wanted to seperate the networks logically in a single switch you could associate a seperate set of ports on your switch to a seperate VLAN id. The only catch is, if you wanted to route traffic between the VLANs you would need a router, but if you ask me. Keep it seperate.

I personally have a seperate physical network for all of my core network devices. I have access lists to restrict administation to only a couple of my administation IP addresses. Because my workstation is the only one connected to my administation network, I can be the only one to administer those devices.

Ramble... Ramble..
The administrator has disabled public write access.

Admin 12 years 5 months ago #4274

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
The simplest reason to run your administrative interfaces of your network devices over a separate network is that when you have network problems (on your main network) you can still access all your troubleshooting resources to fix them. Try querying SNMP usage stats for a device port across a network which is in the throes of a broadcast storm and you'll see what I mean
The administrator has disabled public write access.

Re: Separating LAN into two segments 12 years 5 months ago #4287

  • n8
  • n8's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
Well put Bishop. Today I poll my network interfaces through my production network and when I do have a problem my monitors have trouble getting info from the devices. It would be better to run monitoring on the administrative network.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup