company moving 3 networks onto 2 physical segments

[Guest]

greetings everyone - i find myself in a quandry as my company attempts to
consolidate workspace by merging workers from 3 floors (each with its own
separate departmental windows network and IP segment) into 2 floors. each
network is its own, self-contained windows network. here is a brief overview
of the networks and segments:

[1] MY windows 2000 active directory (wins, dhcp, dns)
- full class c segment #x.x.76.x
- floor #16

[2] a SAMBA network (linux/samba PDC, wins & dhcp)
- half of a class c segment (128 addresses) #x.x.78.x
- half of floor #17.

[3] I believe to be a Windows NT4 network (a PDC with at least wins & dhcp)
- full class c segment #x.x.79.x split on floors #17 & 20 along with the
appropriately configured routers on each of the two floors for segment
#x.x.79.x.

They want to evacuate floor #20 by merging workers from networks [2] & [3]
throughout floors #16 & #17. So on my 16th floor, physical segment x.x.76.x,
there will be workers from network [2] and network [3] who they need/expect
to connect to their own respective networks for their own respective
resources.

Company politics excluded people like me having a say in how best to
organize workers in a more logical way that is thoughtful of network
resources. Management just threw people from each of the 3 floors and mixed
them up on the consolidated 2 floors.

What is the best way to configure the inherited networks so that workers
from each department have access to their respective department resources,
while taking care that things like multiple DHCP servers and the like do not
mess up the networks of other departments that are mixed throughout the
floors????

Also, can shared printers for network #2 and #3 be setup on my floor #16
with IP addresses from their network segment numbers (#78.x, #79.x) so they
don't have to have IP addresses from my segment #76.x? I know that it
probably is illogical to think that someone from segment #78.x or #79.x could
print on one of my #76.x printers, isn't it?

[ultimately, we will move things onto one supernetted segment, but it would
be impossible at this moment in time]

thank you very much, in advance, for any assistance and major tips that you
guys can spare the time to provide for my dire situation!

 

[Kurt]

greetings everyone - i find myself in a quandry as my company attempts to
consolidate workspace by merging workers from 3 floors (each with its own
separate departmental windows network and IP segment) into 2 floors. each
network is its own, self-contained windows network. here is a brief overview
of the networks and segments:

[1] MY windows 2000 active directory (wins, dhcp, dns)
- full class c segment #x.x.76.x
- floor #16

[2] a SAMBA network (linux/samba PDC, wins & dhcp)
- half of a class c segment (128 addresses) #x.x.78.x
- half of floor #17.

[3] I believe to be a Windows NT4 network (a PDC with at least wins & dhcp)
- full class c segment #x.x.79.x split on floors #17 & 20 along with the
appropriately configured routers on each of the two floors for segment
#x.x.79.x.

They want to evacuate floor #20 by merging workers from networks [2] & [3]
throughout floors #16 & #17. So on my 16th floor, physical segment x.x.76.x,
there will be workers from network [2] and network [3] who they need/expect
to connect to their own respective networks for their own respective
resources.

Company politics excluded people like me having a say in how best to
organize workers in a more logical way that is thoughtful of network
resources. Management just threw people from each of the 3 floors and mixed
them up on the consolidated 2 floors.

What is the best way to configure the inherited networks so that workers
from each department have access to their respective department resources,
while taking care that things like multiple DHCP servers and the like do not
mess up the networks of other departments that are mixed throughout the
floors????

Also, can shared printers for network #2 and #3 be setup on my floor #16
with IP addresses from their network segment numbers (#78.x, #79.x) so they
don't have to have IP addresses from my segment #76.x? I know that it
probably is illogical to think that someone from segment #78.x or #79.x could
print on one of my #76.x printers, isn't it?

[ultimately, we will move things onto one supernetted segment, but it would
be impossible at this moment in time]

thank you very much, in advance, for any assistance and major tips that you
guys can spare the time to provide for my dire situation!

Despite all of the information you've given us, there still just isn't
enough to really make any kind of specific recommendations. We don't
know how the building is wired. Can the networks be segmented /
segregated by using separate switches in the wiring closet(s)? We don't
know how you are managing security. You can certainly run two or more
separate IP subnets on the same physical segment, but not if security is
any kind of concern at all. If people who need to be on different
segments are scattered all around the 2 floors, you probably need to
virtualize things (VLANs). That'll let you put just about anybody
anywhere and the switchport they are plugged into will determine which
virtual LAN segment they are on. If your current switches can't do it,
you can expect to pay about $800 for each managed layer-2 24-port
switch. If you need to route between those virtual segments, at least
one of those will likely need to be a layer-3 switch (typical 24 port
around $2500). Personally, I'd go to management with what it would cost
to do it "if workers were arranged this way" vs how much it will cost to
do it "with workers arranged the way they currently are". Careful not to
make it sound like your criticizing. Money talks - especially to management.

....kurt

 

[Phillip Windell]

greetings everyone - i find myself in a quandry as my company attempts to
consolidate workspace by merging workers from 3 floors (each with its own
separate departmental windows network and IP segment) into 2 floors. each
network is its own, self-contained windows network. here is a brief overview
of the networks and segments:

[1] MY windows 2000 active directory (wins, dhcp, dns)
- full class c segment #x.x.76.x
- floor #16

[2] a SAMBA network (linux/samba PDC, wins & dhcp)
- half of a class c segment (128 addresses) #x.x.78.x
- half of floor #17.

[3] I believe to be a Windows NT4 network (a PDC with at least wins & dhcp)
- full class c segment #x.x.79.x split on floors #17 & 20 along with the
appropriately configured routers on each of the two floors for segment
#x.x.79.x.

You are making more of this than there needs to be. When consolitdating into a
smaller portion of a building:....

1. Operating systems don't matter at all - (taken in the proper context)
2. Applications don't matter at all - (taken in the proper context)
3. Users don't matter at all - (taken in the proper context)
4. IP Classes *really* don't matter at all
5. Segments are *not* the primary means of security although it needs to be kept
in consideration

You can stick everything into one segment as long as you stay less than 245
Hosts.
So take the number of Hosts,...divide by 254 and round up the next whole
number,...that will be the minimum number of segments you need.

You can add more segments if security demands it,...but don't "over-assume" on
that,...the primary means of security (when looked at correctly) is in *this*
priority order:

1. Permissions built into the Applications that are used
(Web Service, FTP Service, SQL Service, Custom written & Vendor
Applications)
2. Share Permissions
3. NTFS Permissions
4. Layer 3 & 4 ACLs (segmentation)

Just because a user is on the same segment does *not* mean they have "access" to
something. Security by segmentation is *last* and it very "rough & crude" by
comparison to the other methods and is not very granular,...and when *over used*
will simply break things more often that it helps anything.

The *primary* purpose for segmentation is Broadcast Control,...hence the 245
Host ceiling. Once that number is past, the normal Ethernet Broadcasts begin to
take their "toll" on the LAN's efficiency.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------