I'm starting a job at a small company in a few months (20 staff, one site) and will be responsible for their network setup, which is currently an expensive Windows AD setup by a third party that they're not happy with.
The company wants to move to a fully Linux based network. I've got experience with Linux as a webserver, and basic Windows networking administration, but no significant Linux networking experience.
I've not painted myself as having more experience than I have, but I'll need to learn and setup a Linux office network - I'm looking for some advice on design/best practise and learning, or some resources to go to. There are a lot of tutorials on the internet, but I'm trying to find something more comprehensive. A lot of books seem to be very old and I'm wondering whether they're relevant at all.
From some helpful forums, chat with a couple of friends, and a LOT of test VMs on my home machine, I've mapped the required services into:
-
Internal Servers (including the DNS and DHCP servers themselves, logging, Puppet, etc.) [10.0.x.x]
-
Desktops and Laptops, and Authenticated Wireless [10.1.x.x]
-
Unauthenticated Wireless (guest internet access only, nothing else) [10.255.x.x]
The first two subnets need to talk to each other, of course, the last one needs to be segregated. I'm not quite sure if the Authenticated Wireless needs to be a separate subnet. Of course, I'm anticipating all servers as being virtualised on KVM or similar - for now I'm using VirtualBox for my test networks.
So a few questions:
-
Are there any things I can do to make this setup better, more secure, or easier to use?
-
I think I should be setting up all servers via host{} reservations, and all client machines via DHCP, are there any exceptions? I'm thinking the only machines not using DHCP should be the router, VMMs and the DHCP server(s) themselves.
-
I'm a little confused as to HOW to split out the scopes in such a way that the first two can talk to each other, but the unauthenticated one can't. I think I should be using a shared-network{} directive with two scope{}s inside it, but do I need to change the subnet masks?
-
Do I need a separate firewall or should the router act as the firewall (assuming it has the functionality)?
-
My router IP is 10.0.0.1, and the primary DHCP server is 10.0.1.1. What IP address should I use as the "router" and "broadcast address"?
-
Does the DHCP server need multiple NICs?
-
Any recommendations on good current books and reference documents for this topic?
My current dhcpd.conf looks like the below. The hard coded hosts work fine, but nothing gets an ip via dhcp.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.1;
option domain-name-servers 10.0.2.1, 10.0.2.2;
authoritative;
shared-network {
subnet 10.0.0.0 netmask 255.255.255.0 {
No auto-allocating here, only hosts
deny unknown-clients;
}
subnet 10.1.0.0 netmask 255.255.255.0 {
range 10.1.0.1 10.1.255.255;
deny unknown-clients;
}
Various host declarations for the servers.
host {}
host {}
}
subnet 10.255.0.0 netmastk 255.255.255.0 {
range 10.255.0.1 10.255.255.255;
allow unknown-clients;
}
Thanks and apologies for formatting. Mobile, etc
No comments:
Post a Comment