Logical routing within physical network segment!! PLEASE HELP GIVING ADVICES!!

[J.H]

Dear All,

I've bee knocking my head whether our current implementation to be fine or
flawed:

We have one Windows NT Checkpoint Firewall server with 3 Interface (1), (2),
(3)

(1) --> Public Gateway using public IP address

(2) --> Internal 192.168.1.1 (24bit) <--- potenttial problem here

(3) --> DMZ xx.xx.xx.xx


Current implementation:
We ran out of 192.168.1.x IP addresses so we add routing table that
192.168.2.x is
routed to 192.168.1.1.

So imaginedly, 192.168.1.x & 192.168.2.x in the same physical subnet, but
192.168.2.x
clients have router to be set 192.168.1.1 (of course 192.168.1.x client have
192.168.1.1
as the router)

Thus 192.168.2.x is logical to 192.168.1.x. Both talking each other by
192.168.1.1 interface.


My concern: so far, the network architecture still works fine, but I am
afraid it is not right to design logical within physical routing like this
might cause the network performance problem
a. Broadcast, I sniff and seeing that every packet 192.168.2.x talking to
192.168.1.x, it just
talks to the MAC of 192.168.1.1
b. we can not get arp -a on 192.168.2.x while pinging 192.168.1.x client, so
the
packet will broadcast to 192.168.1.1 for network communication

I NEED ANY ONE TO GIVE ADVICE THAT THIS SHOULD NOT BE THE RIGHT
NETWORK CONFIGURATION (LOGICAL WITHIN PHYSICAL ROUTING)

Regards,
J.H

 

[Phillip Windell]

What you are doing is called Multi-Netting (multiple IP segments on the same
Wire). Yes it can be done. Yes it is ineffiecient.

You should buy a LAN Router and segment the network into two physical
segments.

 

[J.H]

Hi Phillip,

Thanks for your response. Arghh, I created but I did not actually know what
it is called!!
Too bad for myself. Do you have any resource URL for the multi-netting on
the Internet?


The reason that I created multi-netting because we thought we can browse
through
computer list in Explorer. However, even with different segments but joining
the same
Windows domain with the same WINS server use, user still can browse computer
list.

Our problem at our engineer/lab employee keep creating duplication of
Netbios name.
Such we have "domain1" as our Active Directory domain, an engineer install a
test computer
in the same network with "domain1" as workgroup. So the same netbios name
causing different network workstation can not be seeing correctly domain
group in browsing through
Explorer.

Regard,
J.H

 

[Phillip Windell]

Thanks for your response. Arghh, I created but I did not actually know
what
it is called!!
Too bad for myself. Do you have any resource URL for the multi-netting on
the Internet?

Multinetting is so bad that it needs to be wiped from the face of the earth
(IMO). No I have no documentation on it.

You should buy a LAN Router and segment the network into two physical
segments.

The reason that I created multi-netting because we thought we can browse
through computer list in Explorer. However, even with different segments
but joining
the same Windows domain with the same WINS server use, user still can
browse computer
list.

I run 4 IP Segment on different wires (like it should be) and the Network
Places display is perfectly fine.

Such we have "domain1" as our Active Directory domain, an engineer install
a
test computer in the same network with "domain1" as workgroup. So the same
netbios
name causing different network workstation can not be seeing correctly
domain
group in browsing through Explorer.

I have never seen that cause such a problem.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[J.H]

Thanks Phillip.

Would it be fine whether I deploy a Windows 2003 as LAN router with 6
interfaces
and using Routing and Remote access to route among those interface network
segment?

Will it be also efficient since our usage as heavy network share folder SMB,
exchange
email attachment (some attachment can be 50MB internally email attachment)?

I have had a Windows 2000 acting as internal router, and using RIPv2 working
great,

As your future opinion, will it be fine if we use Windows 2003 as LAN
router? Of course,
on the interface segment belong to the primary network, we will do network
load balancing
and trunking on the switch to increase the bandwidth (the potential Win2K3
LAN router will
have 6-8 LAN 1Gbps port Intel)

THanks for your input again,
J.H

Thanks for your response. Arghh, I created but I did not actually know
what
it is called!!
Too bad for myself. Do you have any resource URL for the multi-netting on
the Internet?

Multinetting is so bad that it needs to be wiped from the face of the earth
(IMO). No I have no documentation on it.

You should buy a LAN Router and segment the network into two physical
segments.

The reason that I created multi-netting because we thought we can browse
through computer list in Explorer. However, even with different segments
but joining
the same Windows domain with the same WINS server use, user still can
browse computer
list.

I run 4 IP Segment on different wires (like it should be) and the Network
Places display is perfectly fine.

Such we have "domain1" as our Active Directory domain, an engineer install
a
test computer in the same network with "domain1" as workgroup. So the same
netbios
name causing different network workstation can not be seeing correctly
domain
group in browsing through Explorer.

I have never seen that cause such a problem.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Would it be fine whether I deploy a Windows 2003 as LAN router with 6
interfaces and using Routing and Remote access to route among those
interface network
segment?

Yes, that will work, but it would be an expensive router,...probably more
expensive than just buying a regular LAN Router. You also have to be very
careful about what is run on it since some things can cause a lot of trouble
if the box is multihomed.

Will it be also efficient since our usage as heavy network share folder
SMB,
exchange email attachment (some attachment can be 50MB internally email
attachment)?

IP Segmenting (Layer3 routing) does not help with bandwidth,...it helps with
broadcast control and security (ACLs) between LAN segments. It is a
misconception that it does anything else. Traffic is *already* isolated &
segmented during communication between individual Hosts at the Layer2 level
when using standard Layer2 Switches. If a LAN is bogged down by "directed
traffic" (non-broadcast), then it will continue to be bogged down even after
Segmenting at Layer3. Segmenting at Layer3 only helps when the LAN is
bogged down by Broadcasts.

 

[J.H]

Hi Phillip,

My final question whether our current multi-netting like the first message
is currently
decrease the network performance between workstation & server? and overload
our
switches?

I've been using Network Observer for monitoring the broadcast and analyzing
the collision
packet and seeing that a few broadcast on our primary VLAN switches (where
that servers
and workstation centralizedly connected to)

After all, I was looking for knowing, understanding whether we use
multi-netting will cause
network performance in the long run

Regards,
J.H

 

[Phillip Windell]

My final question whether our current multi-netting like the first message
is currently decrease the network performance between workstation &
server? and
overload our switches?

The performance is related to the number of Hosts on the wire. It doesn't
matter if there are 2, 5, or 20 IP Segments Multi-Netted on the same wire,
the performace remains the same because the segmenting doesn't gain
anything,...because,...it is on the same wire and the number of hosts per
wire remains the same. At least in the case of normal physical segmenting
you gain the advantage of less hosts per wire (meaing less broadcasts per
wire).

So the Multi-Netting gains you nothing in performance and adds additional,
and unjustified, complexity which adds up to less dependability and more
difficulty in troublshooting problems.