Well, people ask for the "wrong" thing all the time, and then often they get
mad when we tell them the right way to do the project,..which usually
doesn't involve the incorrect method that they were wanting to do.
Anyway,...If there are the two companies then separate each company into a
separate "network". The best design for two companies on the same LAN with
each using their own Internet links would be this:
Buy a 2 LAN Routers (or Layer3 Switches) and them between the two Networks
[Companies]. Yes I said 2. Each Router is associated with the "company"
that it is adjacent to.
Buy two Firewalls,...one for each link.
Each company uses their own "LAN router" as the Default Gateway of their
LAN. The router then uses the correct Firewall to the correct Internet Link
they are supposed to use. There is nothing unusual here,...it is the same
exact toplogy as if you were connecting two geographically separarte
networks over a private lease line except that in this case the "center
segment" is a Fast Ethernet Link instead of a slow WAN Link. It is the same
principle whether there were 300 miles between the segments or just 3 feet.
[company 1]
|
<LAN switch>-------Firewall 1
|
[LAN Router1]
|
(3rd subnet between routers with no Hosts on it)|
|
LAN Router 2]
|
<LAN switch>-------Firewall 2
|
[company 2]
If there were only one Internet Link then you would only need one LAN Router
[company 1]
|
<LAN switch>-------Firewall 1
|
[LAN Router1]
|
[company 2]
If the LAN Router were capable of Source Routing (most are not) then you
would only need one LAN Router. You might also get away with this one if
the Firewall was capable of "re-routing" on the internal side,..but this may
be a fading ability due to security reasons,...for example the newst version
of MS's ISA Server doesn't allow that. In this scenario the Firewall is
the Default Gateway of one of the Networks and then the Firewall "re-routes"
the LAN traffic for the other segment back to the LAN Router.
[company 1]
|
<LAN switch>-------Firewall 1
|
[LAN Router] (with source routing abilities)
|
<LAN switch>-------Firewall 2
|
[company 2]
OR
[company 1]
|
<LAN switch>-------Firewall 1
|
[LAN Router]
|
<LAN switch>-------Firewall 2 (is DFG of Compy2 but re-routes
| traffic to Compy1 to
LAN Router)
|
[company 2]
But since you have two Internet links and the LAN Router you end up with
probably won't do Source Routing,...you will need two of them
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Nick Poore" <(E-Mail Removed)> wrote in message
news:9069F131-DEB0-449D-9E47-(E-Mail Removed)...
> Well there's always a point, or we would not be asking now, would we...
>
> The point is that the shared firewall has two physical internet
> connections,
> and they want to seperate out their intnet traffic. (One company is 3x
> the
> size of the other, and is taking all the small companies bandwidth.)
>
> So, it would appear that my best solution is to get a switch with gigabit
> layer-2 routing, and to build some seperate LAN's, using the switch as my
> router...
>
> Make sure that I keep the servers on a single LAN, with a single NIC in
> each, and then use the switch to allow the seperate LAN's to access the
> servers.
>
> But yes, this gets harder...
>
> "Bill Grant" wrote:
>
>> Do not even think about putting two NICs in the DCs! It will cause
>> you
>> all sorts of odd problems.
>>
>> There is really no point in separating the workstations onto separate
>> networks if they all use the same servers in the same domain. You could
>> put
>> the workstations into two segments and join them to a third segment
>> containing the servers (using LAN routers), but ti wouldn't really make
>> any
>> difference to the way things work.
>>
>> You are correct that all machines must use the local DNS server for
>> AD
>> to work.
>>
>> "Nick Poore" <(E-Mail Removed)> wrote in message
>> news:04A3FF39-AE59-4C16-B725-(E-Mail Removed)...
>> >I have an office which has two physical servers, and is shared by two
>> > companies.
>> >
>> > Both Servers run Windows 2003 Standard Edition.
>> > One server is a file/print server.
>> > One server is an Exchange 2003 server.
>> > Both servers run Active Directory, DNS & WINS.
>> > All servers & workstations are part of the same active directory
>> > domain,
>> > and
>> > no domain splitting / filtering has been done.
>> >
>> > I have been asked to seperate the two companies onto two seperate
>> > LAN's.
>> >
>> > I know that I can install two NIC's into each server, and just put them
>> > in
>> > seperate subnets.
>> >
>> > However, I'm really concerned about DNS & WINS.
>> > It is required that Workstations us the AD DNS as their primary DNS
>> > server.
>> >
>> > How am I going to guarantee that a workstation on LAN-A will get the IP
>> > address of the file server on LAN-A and not it's IP address on LAN-B?
>> >
>> > Basically I need to make sure that all workstatation on LAN-A only try
>> > to
>> > speak to the server on LAN-A, and all workstations on LAN-B only try to
>> > speak
>> > to the server on LAN-B.
>> >
>> > Does that make sense?
>>
>>
Similar Threads
Linear Mode
