Ah ... if you're security policy isn't worried about APT attackers ... Put the entire second network in an extranet and then begin to transfer the acquired users into your companies intranet one group at a time. Once the users are transferred, then begin to transfer their services.
If you're not willing to do that: then I would echo Doug and Medbery; use a combination of VLAN tagging and switchport port-security on your switches. No need to rewire, and if your equipment supports those features, zero dollar cost. The only cost is your time and testing your infrastructure. On Thu, Jul 14, 2011 at 8:25 AM, Edward Ned Harvey <[email protected]> wrote: >> From: [email protected] [mailto:discuss- >> [email protected]] On Behalf Of Edward Ned Harvey >> >> I have a location with two networks that must not be bridged. Users must >> easily be able to access both networks. VPN is not a possibility for > reasons I >> won't go into. > > A lot of people are curious about the subtext here. So here it is: > > Small company was acquired by a big company. The eventual plan is to simply > patch in the legacy equipment into the new LAN, so the two separate subnets > are actually the same IP range by design. No you can't connect to both at > the same time... At least ... You shouldn't expect to have a useful network > if you try. ;-) > > The big company has a lot more rules about what's permitted and not, and the > reasons why. Amongst these restrictions, they're obligated to a 3rd party, > to ensure the confidential IP on the big company LAN is secure to a certain > extent, amongst other bullet points, physical measures to prevent bridging > with other networks. > > This does not necessarily mean you must make it impossible to bridge. As in > many other companies, security is sort of a half-assed goal. Many companies > do things like block access to the internet (ftp, sftp, ftps, etc) and block > rpm's and exe's and zip's and stuff like that... But they still permit > users to take their laptops and usb fobs home or to starbuck's. > > Such is the case with this bridging concept. Supposing I lockdown all the > ethernet jacks so there's nothing but male RJ45 wires for people to plug > into their laptops... Yes, I know somebody could still bridge them if they > brought in a switch and plugged it into the wall and plugged the two > ethernet cables into it. (Or just used a female-female coupler.) But > there's no way that's going to happen by accident. > > I have certainly worked places before ... Where somebody brought their kids > in to work, and the kids plug an ethernet cable into this wall jack, and > that other wall jack... I have certainly seen cables accidentally patched > into the wrong patch panel in the closet... The goal here is to basically > prevent accidental bridging. > > The answer I found the most satisfiable within the last day was rjlockdown. > It's basically a clip which forces the Ethernet release tab to stay up. So > you can't remove the ethernet cable from the wall outlet without breaking > it. If all your ethernet jacks are plugged up ... everything's male ... > then you can't accidentally bridge the networks. Anybody who has any > switches plugged in will need to have those switch jacks plugged up too. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
