 |
 |
Multiple Ethernet Interfaces and Switches...
|
|
|
|
|
Junior Member
Join Date: Jan 2001
Location: California, USA
Status:
Offline
|
|
Hi!
I'm administering an Xserve and several G4's for my department at a university. We handle checking out digital projectors and laptops for staff/faculty/student presentations. Additionally, we manage the editing and production of CDs for on-campus events that are recorded (in the ballpark of 7-8 1 hour+ events per week)--which is what the G4's are used for. We currently have the Xserve storing the audio files. The two G4's that do the editing are hooked up to the Xserve via gigabit ethernet over a university switch in our building. This works quite well. I have also just set up Netbooting on the Xserve to allow for imaging our laptops to easily restore them after they've been checked out. This works wonderfully over gigabit as well. However, due to space constraints on our building's switch and the usual slow response associated with university departments (especially telecom), we opted to purchase a Linksys EtherFast 8-Port Gigabit switch (EF3508). Unfortunately, we discovered after purchasing the switch that the telecom department is rather touchy about other departments having switches of their own. After some negotiating, we got approval to use the switch as long as it was never hooked up to the campus network (gotta love campus politics). So, thus enters my question...
The Xserve is hooked up to our campus' switch and thus the campus network. However, the Xserve has two ethernet interfaces. en0 (built-in) is the one hooked up to the network and has a static IP I assigned it on our subnet. Here's my question: does en1 communicate with en0 unless I set it up to do so somehow? What I want is for en1 to be completely independent from en0 (so anything communicating with en1 _cannot_ see the campus network at all). How I have it set up now is as follows:
en1 interface:
IP: 10.0.0.1
DHCP Server:
Active serving on en1
range--10.0.0.100-150
router--10.0.0.1
Netboot: Active serving on en1
en1 is plugged into the switch along with any other laptops I plug in for imaging purposes.
Is this setup safe in regards to the requirements placed on us? What tests can I do to demonstrate this for the telecom department if it is? I'll need fairly solid evidence that absolute nothing from en1 is being broadcast/communicated out over en0.
Thanks for your help!
-Joel
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status:
Offline
|
|
This is pretty much a routing question, and what you've done will suit your needs, depending of course on how the network en0 is connected to/set up.
So long as you're routing rules are correct, then your Xserve should treat those two networks as separate and unique. If you're uber-obsessive, you could setup rules saying that addresses belong to en1 should be ignored when received on en0 and vice-versa, but that's pretty much unnecessary if the networks are configured properly to begin with.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Jan 2001
Location: California, USA
Status:
Offline
|
|
Originally posted by ginoledesma:
This is pretty much a routing question, and what you've done will suit your needs, depending of course on how the network en0 is connected to/set up.
en0 is set up as follows:
IP: 1.1.1.2 (these are not the actual #'s)
Router: 1.1.1.1
Active Services: AFP, NFS, Open Directory (Standalone Server)
It is connected directly into a campus gigabit ethernet port that (I think) goes back to a Cisco 10/100 switch that has 2-4 gigabit ports on it.
Originally posted by ginoledesma:
So long as you're routing rules are correct, then your Xserve should treat those two networks as separate and unique. If you're uber-obsessive, you could setup rules saying that addresses belong to en1 should be ignored when received on en0 and vice-versa, but that's pretty much unnecessary if the networks are configured properly to begin with.
Are these routing rules on the software or hardware end? If they're on the software end, where would I access them and is there any documentation on what I would need to do to set these rules up to do what you described?
As an aside, why, exactly, is the telecom department so touchy about people hooking switches up to the network? Can that cause broadcast storms or something? A simple 10/100/1000 switch doesn't seem like it would do that (i.e., it doesn't broadcast anything at all, right?). Plus, wouldn't a switch keep all local traffic (i.e., all traffic occurring between devices connected to the switch) inside the switch and off the main network (which should be a good thing, right?).
Thanks!
-Joel
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status:
Offline
|
|
Firewall routing rules can be configured on either end -- software (well, actually, the OS on your Xserve) and hardware (Cisco router and the like).
For your purposes, it'd be easier to configure the firewall rules on your Xserve. If you've experience using BSD, then you're probably comfortable with using ipfw. However, I am assuming you are using Mac OS X Server, which should have an interface to allow you to configure it.
I don't have an Xserve to play with (alas!), but my Linux server that has 2 interfaces configured to it is effectively handling Samba and DHCP connections (among others) without making the two networks "cross over" -- using both internal network addresses (192.168.0.0/16 and 10.0.0.0/8)
Oh, and as for the issue with telecom offices... I work for the campus network group (that's what we call it in our university) and its really just a matter of policy. Some network groups (or telecom departments as you call them) are typicaly stringent about the network infrastructure. Allowing individual units to set up their own "mini-networks" shouldn't really cause problems. For my part, we've never had problems even if certain individual units had a higher network capacity than the core network. Its just that what gets into the nerves of most telecom departments is that individual units go running to them and complaining about problems, of which might have been avoided if they were consulted in the first place.  Ahh, monopolies. 
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
Unless /sbin/routed is running and you have modified the routing table, the interface/network attached to the switch you purchased for this project will not be able to go anywhere. In addition, I believe sysctl net.inet.ip.forwarding has to be set to yes so that traffic will be able to flow from interface to interface (BSD thing). The campus network routing tables would have to be made aware of this network via whatever routing protocol they are using in order for traffic to get back to this new network also. Otherwise it goes out the 0 route for the campus.
The newly brought up interface will be used for the newly created network as it is directly attached and addressed accordingly. netstat -rn will display your routing table.
As for not allowing end-users to connect switches to the network, problems can be created by doing so in so far as port utilization and capacity planning, in addition to spanning tree loops depending on configuration of the switches in question.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
