On Mon, Nov 14, 2011 at 20:19, John Gwinner <[email protected]> wrote: > I just signed up with a new ISP for the office – we’re getting 15Meg for the > price I used to pay for 2 T-1’s. Nice!
Nice. > Oddly though, I get a single IP in the range 216.2.69.x/30 and a default > gateway. This isn’t a T-1 or other telecom ish interface; they give me an > Ethernet jack (comes out of an AdTran), with an IP stack on it. Not odd at all. Pretty standard. > I ALSO get 5 (usable) IP's in the range 216.2.234.X/29. Again, not so unusual - I'm guessing you don't have a lot of hosts. > I have 3 public web servers with separate IP's I need to host on the > Internet (they are firewalled/DMZ'd through Microsoft's TMG). OK - that leaves you with 2 addresses to consume. > The wrinkle: My ISP expects me to route my public IP's 'through' the > 216.2.69.X gateway. Not just switch the 5 usable IP's, I have to route > them. The 216.2.69.X is what the Adtran puts out (say .2 for ‘my’ router > and .1 for the gateway). Behind that, I have the 5 useable IP’s and I have > to route that to the Adtran. Yup. Pretty standard. I assume that the Adtran is the ISP's box that is at your site. > My ISP said I needed a Level 3 switch; No, that would be a Layer 3 switch - AKA a router. > Can I do this with a Dell 6248p? Dunno. You'll want to look at the Dell site for that. If those switches aren't L3 capable (and you'll be able to tell from the literature - if they are, it will say so. If they aren't, they'll say something like Layer 2.) Regardless, you don't want/need that - see below. > VLAN tagging wouldn’t work, I don't think, as who knows if whatever web site > we're surfing too, or whatever customer is looking at our public IP's, would > support vlan tagging. This is a raw, public IP. You're trying to make this too complex, and VLAN tagging will be irrelevant to anybody (or any web site) not on the physical subnets you control. <snip> > Any advice? Some, yes... First, though, you haven't described the rest of your environment. What else will this speedy interface be serving? Is this link *only* for your web servers, or does it serve the rest of your organization? Regardless, the simplest way to do what you want is to acquire two boxes that can support this. Others will have some different ideas, but for your needs, what I outline below should work very well. The first unit you'll need is a router with two Ethernet interfaces (or more, but you'll be ignoring any extras). The interface that into which you'll be plugging your ISP's Ethernet cable will have the IP address assigned from the /30 subnet. The other interface will have one of the addresses from your /29 subnet. You can find any of a number of commercial products, or you can build one from a whitebox. You'll set the DG for it to the IP at the ISP from the /30 range. You can do some filtering on that box, but you probably don't want to make a full-blown firewall out of it. Life gets too complicated if you do. The second unit is a firewall (since you have TMG, put that on a box with at least two Ethernet ports, and possibly up to five Ethernet ports, which will do the job nicely[1]). One of those ports will have assigned to it the four public IP addresses that aren't assigned to the router, and you'll list the IP address of the router that is in the /29 range as the DG for your TMG machine. Since you have three web servers, you'll need to NAT three of those public IP addresses to the web servers. That leaves you with 1 public IP address for your other purposes, if any. Let's assume for the sake of discussion that you have some number of other machines that need Internet access - you'll NAT the remaining public IP address for those hosts. So, you might want to strategise a bit regarding how you treat those four public IP addresses. Ask yourself questions, such as: o- Do the three public-facing web servers need to talk with each other, or, conversely, do they really need to be isolated from each other, or, on the gripping hand, do you not care if they are on the same subnet, and would it be convenient for managing them to put them on the same subnet? If the first or third are true, then you can NAT each of the three IP addresses into a single subnet used as a DMZ. If, however, the second option is true, then you have a need for a more complicated configuration - that will entail a more complicated discussion as well. o- What other machines will be using this connection? I assume a small office - say 8-20 staff and associated workstations and servers. If I'm correct, then that last public IP address will get a lot of use, and you'll likely end up doing PAT (port address translation, a sibling of NAT, or network address translation). For instance, if you have a mail server, you'll forward port 25 inbound to that, and if you have other services inbound you'll forward those ports to the relevant servers for those protocols, such as RDP, or IPSec, or whatever. All of these, however, should be in a subnet that's separate from the one(s) you use for the public-facing web servers, and probably on a separate physical port on the firewall. You can do things like using VLANs and whatnot to manage this kind of thing, but I find it easier to understand and manage if subnets that serve different security domains are physically separate. I hope this is all fairly clear. Let me know if I can clarify anything for you. I'm sure others will chime in with different ideas. You'll have to evaluate them and see what makes sense for you. Kurt [1] Dual- and quad-port Ethernet cards are your friends... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
