Lan/Wan Networking

Current:

5 SA Win2k servers. - web, mail, SQL etc.
All 5 servers have from 1 to many public routable IP's on them.
All connect at 100Mb to a switch that is exposed to the net.

Adding:

3 SA Win2K3 AS. - SQL, SQL, web

What I would like to do is keep each server connected to the 100Mb WAN
switch for web traffic and add a Gb LAN (192.168.xxx.xxx) for traffic
between them.

I would end up with 8 servers connected to each switch.

Here's where I loose understanding. I would like for each server to answer
web requests through the 100Mb switch and for them to talk to each other
through the Gb switch. Did I make any sense? Example: When a web request
comes into the web server on the WAN that requires a transaction with the
SQL server, I want the transaction with the SQL server to go through the Gb
LAN, then the webserver would fulfill the request back out the WAN.

Thanks,
Jim

Make sure the websites are explicitly bound to an IP# from the slower 10mbps
link (not set to "all unassigned"). On the Gigabit NICs, connect them to
a separate switch from the others, the links must be kept physically
(normal) or logically (VPN in switches) separated. The SQL Servers that
feed the web servers must only use one NIC in each machine and be connected
to the Gigabit side only.

You probably do *not* want routing enabled on the Web Servers. You do not
want the users getting accross them to the SQL Servers. Only the "web
services" on the web servers will contact the SQL Servers and they don't
need routing enabled to do that. Contrary to what it may appear, there
really is *no* Layer3 Routing occuring here. With "routing" not enabled,
only things running *on* the Web Servers themselves can see both sides,
while nothing external to them can pass accross in either direction.

The worst you may have to do is use Host files on the web servers so they
can figure out where the SQL Servers are, or better yet just contact the SQL
Servers by IP# instead of the hostname and you won't have to worry about it.

The Web Servers will be duel-homed (two nics) the SQL Servers will only be
single-homed (one nic).
[192.168.x.x] [Public IP#]
[Single Gig Sw] [Single 100 Sw]
SQL1 ----> Gigabit ----> WebSer1 ----> 100mbps ----> Internet
SQL2 ----> Gigabit ----> WebSer2 ----> 100mbps ----> Internet
SQL3 ----> Gigabit ----> WebSer3 ----> 100mbps ----> Internet
SQL4 ----> Gigabit ----> WebSer4 ----> 100mbps ----> Internet

Anyway,.... this was off the top of my head, so verify it thorghly yourself
before you put it into service.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Current:
>
> 5 SA Win2k servers. - web, mail, SQL etc.
> All 5 servers have from 1 to many public routable IP's on them.
> All connect at 100Mb to a switch that is exposed to the net.
>
> Adding:
>
> 3 SA Win2K3 AS. - SQL, SQL, web
>
> What I would like to do is keep each server connected to the 100Mb WAN
> switch for web traffic and add a Gb LAN (192.168.xxx.xxx) for traffic
> between them.
>
> I would end up with 8 servers connected to each switch.
>
> Here's where I loose understanding. I would like for each server to answer
> web requests through the 100Mb switch and for them to talk to each other
> through the Gb switch. Did I make any sense? Example: When a web request
> comes into the web server on the WAN that requires a transaction with the
> SQL server, I want the transaction with the SQL server to go through the
Gb
> LAN, then the webserver would fulfill the request back out the WAN.
>
> Thanks,
> Jim
>
>
>
>

Phillip,

Thanks for the reply.

The main reason that the SQL needs to be on a routable IP as well is so that
SQL authors can publish and manage their DB's from outside.

For some reason, I think that this issue, although simple enough to imagine,
just doesn't work that way when it comes to the services. Something as
simple as a DNS query from one of the servers I would want to go through the
LAN.

Typically our web/DB users would connect to the SQL by their website using
the server name or IP. So in the scenario you described they would simply
connect to 192.168.XXX.XXX for the DB server address instead of the public
number? Seems easy enough.

How about things like log file or doing a backup of information from one
machine to another, or simply moving files around? Which NIC will the OS
want to use for the task? How do I force one over another?

Thank you for the help,

Jim


"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> Make sure the websites are explicitly bound to an IP# from the slower
10mbps
> link (not set to "all unassigned"). On the Gigabit NICs, connect them
to
> a separate switch from the others, the links must be kept physically
> (normal) or logically (VPN in switches) separated. The SQL Servers that
> feed the web servers must only use one NIC in each machine and be
connected
> to the Gigabit side only.
>
> You probably do *not* want routing enabled on the Web Servers. You do not
> want the users getting accross them to the SQL Servers. Only the "web
> services" on the web servers will contact the SQL Servers and they don't
> need routing enabled to do that. Contrary to what it may appear, there
> really is *no* Layer3 Routing occuring here. With "routing" not enabled,
> only things running *on* the Web Servers themselves can see both sides,
> while nothing external to them can pass accross in either direction.
>
> The worst you may have to do is use Host files on the web servers so they
> can figure out where the SQL Servers are, or better yet just contact the
SQL
> Servers by IP# instead of the hostname and you won't have to worry about
it.
>
> The Web Servers will be duel-homed (two nics) the SQL Servers will only be
> single-homed (one nic).
> [192.168.x.x] [Public IP#]
> [Single Gig Sw] [Single 100 Sw]
> SQL1 ----> Gigabit ----> WebSer1 ----> 100mbps ----> Internet
> SQL2 ----> Gigabit ----> WebSer2 ----> 100mbps ----> Internet
> SQL3 ----> Gigabit ----> WebSer3 ----> 100mbps ----> Internet
> SQL4 ----> Gigabit ----> WebSer4 ----> 100mbps ----> Internet
>
> Anyway,.... this was off the top of my head, so verify it thorghly
yourself
> before you put it into service.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>

"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The main reason that the SQL needs to be on a routable IP as well is so
that
> SQL authors can publish and manage their DB's from outside.

Then probably none of this would work. I suspect it is a stituation like the
old saying, "You can't have your cake and eat it too". You'd probably just
have to run Gigabit on everything and only have one NIC in each machine.
Incomming internet users will never go faster than the T1 line (or whatever
you use), so worrying about having two different speed segments is kind of
pointless anyway.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Well that's a real bummer. You would think that the OS would have more
ability in relation to network traffic and routing.

Jim


"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> "Jim" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > The main reason that the SQL needs to be on a routable IP as well is so
> that
> > SQL authors can publish and manage their DB's from outside.
>
> Then probably none of this would work. I suspect it is a stituation like
the
> old saying, "You can't have your cake and eat it too". You'd probably
just
> have to run Gigabit on everything and only have one NIC in each machine.
> Incomming internet users will never go faster than the T1 line (or
whatever
> you use), so worrying about having two different speed segments is kind of
> pointless anyway.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

As I said,..there is no routing here,...none,...this isn't layer3 routing,
you are not passing accross a router between each machine. It isn't the
OS,...it is the way Ethernet and TCP/IP,.. as a technology,..function. It
would be no different if you were running Linux on those boxes.

Now if you duel-home every machine, bind the websites explicitly to the
public IP#s, and access all the SQL servers from the webserver (the
website's code) using explicitly the private IP#s you might get something
like you are wanting. But then you are giving an attacker an extremely big
target. All your machines would effectively be "side-by-side" and have a
presents on both the private and public networks at the same time.

The question is, is it worth it? Are you sure you are not over-estimating
the traffic load on the wire? Are you sure that a simple 100mbps link
wouldn't handle it just fine?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Well that's a real bummer. You would think that the OS would have more
> ability in relation to network traffic and routing.
>
> Jim
>
>
> "Phillip Windell" <@.> wrote in message
> news:%(E-Mail Removed)...
> > "Jim" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > The main reason that the SQL needs to be on a routable IP as well is
so
> > that
> > > SQL authors can publish and manage their DB's from outside.
> >
> > Then probably none of this would work. I suspect it is a stituation like
> the
> > old saying, "You can't have your cake and eat it too". You'd probably
> just
> > have to run Gigabit on everything and only have one NIC in each machine.
> > Incomming internet users will never go faster than the T1 line (or
> whatever
> > you use), so worrying about having two different speed segments is kind
of
> > pointless anyway.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>

Jim,

>>Well that's a real bummer. You would think that the OS would have more
>>ability in relation to network traffic and routing.

Can't you do this by placing all of the (necessary/desired) servers on
the Gb LAN Switch, then uplink the slower 100 Mb switch to the Gb switch
and then link the router to an interface on the 100 Mb switch along with
all other non-Gb network hosts? This is how I have setup the operation
on our LAN here. There is a weak text example below:

{8 Servers} ~> {Gb Switch} ~> {100 Mb switch} ~> (other network hosts +
Gateway/Router) ~> Internet/WAN

--

Regards,

Troy