bridge - very basic question - TCP-IP

This is a discussion on bridge - very basic question - TCP-IP ; i am aware that this is very basic network question [maybe even funny for experienced persons], but if somebody could put a comment having two lan segments [tcp/ip], in two buildings, with the same ip subnet [of course, each ip ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: bridge - very basic question

  1. bridge - very basic question

    i am aware that this is very basic network question [maybe even funny for
    experienced persons], but if somebody could put a comment

    having two lan segments [tcp/ip], in two buildings, with the same ip subnet
    [of course, each ip address being unique], i want to connect them by some
    layer-2 bridge device, it would be two cheap routers having vpn tunnel
    between them, and configured as bridges.

    question:
    when connecting lan segments with router, i need to setup gateway on each
    side, but with bridge, do i need *any* adjustment in these two lan segments,
    or they became automaticly connected as like when they are connected through
    switch/hub?

    any explanation?

    thnx!




  2. Re: bridge - very basic question

    On Apr 10, 1:27*am, "sali" wrote:
    > i am aware that this is very basic network question [maybe even funny for
    > experienced persons], but if somebody could put a comment
    >
    > having two lan segments [tcp/ip], in two buildings, with the same ip subnet
    > [of course, each ip address being unique], i want to connect them by some
    > layer-2 bridge device, it would be two cheap routers having vpn tunnel
    > between them, and configured as bridges.
    >
    > question:
    > when connecting lan segments with router, i need to setup gateway on each
    > side, but with bridge, do i need *any* adjustment in these two lan segments,
    > or they became automaticly connected as like when they are connected through
    > switch/hub?



    Hubs are dumb devices that basically propagate all signals out all
    ports.

    Switches, OTOH, *are* bridges. "Switch" is just a more fashionable
    marketing term for bridges. In fact, all proper switches (this
    excludes some very low end ones) implement 802.1, which is the basic
    protocol for spanning-tree bridging.

    Anyway, if your "routers" are configured as 802.1 bridges, they'll
    work just like any bridge or switch implementing 802.1.

    The type of device you're proposing was traditionally called a remote
    bridge, and other than performance issues, works pretty much as you'd
    expect.

    OTOH, most bridges aren't very bright when it comes to varying speed
    links, and many people prefer to use routers in that situation.

    Another question is why these two LANs have the same subnet address,
    and what will happen once you connect them. Remember that you may
    suddenly be routing internet traffic from one building through your
    bridge link if you do this. There are also security issues. So
    really, what problem are you trying to solve? I'm not saying this is
    the wrong solution, but it's not commonly the correct one. And just
    to head this one off at the pass, being unable to renumber the subnets
    isn't really the issue - there has to be some reason you can't.


  3. Re: bridge - very basic question

    je napisao u poruci interesnoj
    grupi:3b8469ae-4466-41e5-9784-061e59649909@24g2000hsh.googlegroups.com...
    On Apr 10, 1:27 am, "sali" wrote:
    >> i am aware that this is very basic network question [maybe even funny for


    >> side, but with bridge, do i need *any* adjustment in these two lan
    >> segments,
    >> or they became automaticly connected as like when they are connected
    >> through
    >> switch/hub?


    first of all, thnx for your explanatory answer


    > marketing term for bridges. In fact, all proper switches (this
    > excludes some very low end ones) implement 802.1,


    low-cost, does it mean "unmannaged"?
    the very most of switches we are using are cheap [eur200 and less, dep on
    number of ports] 10/100/1000 planet, trendnet or d-link, without any
    adjustment, just plug-in, cascading or whatever, all of them are autosensing
    are they supposed to be 802.1 compatible?


    > really, what problem are you trying to solve? I'm not saying this is
    > the wrong solution, but it's not commonly the correct one. And just


    very simple, few guys are temporarly moving with their comps from one
    building to other, and my idea was to have "bridge" [buildings are too
    distant to make a "wired" connection, even they are not in the same town] to
    foolish their comps to beleive they are still on the old place and to
    continue operating and accessing database servers from the old location as
    before, without any adjustment. overhead ove rbridged connection is
    acceptable and estimated as not to be problematic
    "truly" routing is also an option, but then i need to add and configure new
    router, to create new subnet, and to reconfigure [add route] few of other
    routers involved into network. for adding router [cisco] i need a budget,
    and for re-eouting i need newtor admin assistance

    i had a very simple scenario at mind:
    that "bridged" router will examine every ethernet packet arriving from the
    lan side, check the layer-2 header [mac address] and then packets which are
    targetting the "other" side computers will be pulled over the bridge end
    sent accross




  4. Re: bridge - very basic question

    On Apr 10, 9:14*am, "sali" wrote:
    > > marketing term for bridges. *In fact, all proper switches (this
    > > excludes some very low end ones) implement 802.1,

    >
    > low-cost, does it mean "unmannaged"?
    > the very most of switches we are using are cheap [eur200 and less, dep on
    > number of ports] 10/100/1000 planet, trendnet or d-link, without any
    > adjustment, just plug-in, cascading or whatever, all of them are autosensing
    > are they supposed to be 802.1 compatible?



    No, I mean *really* low cost, sometimes the "switches" embedded in DSL
    or cable modems, or the little five-port things. I'd be leery of
    stuff sold for the SOHO market (although certainly not all of that
    will fail that requirement). Most (all?) unmanaged business class
    switches will be just fine.


    > > really, what problem are you trying to solve? *I'm not saying this is
    > > the wrong solution, but it's not commonly the correct one. *And just

    >
    > very simple, few guys are temporarly moving with their comps from one
    > building to other, and my idea was to have "bridge" [buildings are too
    > distant to make a "wired" connection, even they are not in the same town] to
    > foolish their comps to beleive they are still on the old place and to
    > continue operating and accessing database servers from the old location as
    > before, without any adjustment. overhead ove rbridged connection is
    > acceptable and estimated as not to be problematic
    > "truly" routing is also an option, but then i need to add and configure new
    > router, to create new subnet, and to reconfigure [add route] few of *other
    > routers involved into network. for adding router [cisco] i need a budget,
    > and for re-eouting i need newtor admin assistance
    >
    > i had a very simple scenario at mind:
    > that "bridged" router will examine every ethernet packet arriving from the
    > lan side, check the layer-2 header [mac address] and then packets which are
    > targetting the "other" side computers will be pulled over the bridge end
    > sent accross



    An issue will be that any routers that a really connected to those two
    subnets will not see each other, and may try to route across the
    remote bridge. But so long as that's not an issue, or you can manage
    it, that should work. If you can route *all* their internet traffic
    through your network, you'll probably be a lot happier (and would
    basically eliminate most of the non-performance related problems).
    IOW, the only reason the new building would have an Internet
    connection would be to support the remote bridge link. If a user in
    the new building accessed a web site on the internet, the traffic
    would actually go out to the Internet via the main building connection
    (after coming in via the VPN/remote bridge link). That way you only
    need to maintain your existing firewall and security infrastructure
    (mind you that can do that with a routing implementation too).

    But what hardware are you going to use to implement these remote
    bridges that you can't just configure as a router instead? I don't
    know the last time I saw a dedicated remote bridge device, sure, you
    can configure any Linux box or Cisco router (running IOS), to remote
    bridge, but you can also configure those as routers.

  5. Re: bridge - very basic question

    je napisao u poruci interesnoj
    grupi:e6a72f7a-f302-4b68-a39a-a92a986e6f7e@a1g2000hsb.googlegroups.com...
    On Apr 10, 9:14 am, "sali" wrote:

    > If a user in the new building accessed a web site on the internet, the
    > traffic
    > would actually go out to the Internet via the main building connection


    yes, i understand, anyway, this remote office will be connected just with
    bridge to main location, no other gateways


    > But what hardware are you going to use to implement these remote
    > bridges that you can't just configure as a router instead? I don't
    > know the last time I saw a dedicated remote bridge device, sure, you
    > can configure any Linux box or Cisco router (running IOS), to remote
    > bridge, but you can also configure those as routers.


    i had in mind linksys wrt54gl which is cheap [eur75] smal linux box. there
    are ready-built custom firmwares to replace original linksys' firmware [for
    example x-wrt] which gives you a full access to linksys' hardware, and then
    it operates as ordinarly linux. tthe sw package contains openvpn which is
    told to be easy to connect two of those devices into secure and reliable
    bridge

    but, you are talking about solution to have routing connection.
    am i allowed to connect additional router to main location's subnet besides
    the main router [cisco175, by which the main location is connected with the
    rest of world]?
    now, that main router is addressed as "gateway" in the network config, so
    each comp [including database servers] may communicate with the rest of the
    world.
    connecting additional router [instead of my "bridge"] requires me to
    reconfigure each comp at main loc to recognize that added new router? or
    not?

    [sorry, these questions are probably answered in every cisco schoolbook, and
    i am asking here to much ...]



  6. Re: bridge - very basic question

    On Apr 11, 2:46*am, "sali" wrote:
    > je napisao u poruci interesnoj
    > grupi:e6a72f7a-f302-4b68-a39a-a92a986e6...@a1g2000hsb.googlegroups.com...
    > On Apr 10, 9:14 am, "sali" wrote:
    >
    > > If a user in the new building accessed a web site on the internet, the
    > > traffic
    > > would actually go out to the Internet via the main building connection

    >
    > yes, i understand, anyway, this remote office will be connected just with
    > bridge to main location, no other gateways
    >
    > > But what hardware are you going to use to implement these remote
    > > bridges that you can't just configure as a router instead? *I don't
    > > know the last time I saw a dedicated remote bridge device, sure, you
    > > can configure any Linux box or Cisco router (running IOS), to remote
    > > bridge, but you can also configure those as routers.

    >
    > i had in mind linksys wrt54gl which is cheap [eur75] smal linux box. there
    > are ready-built custom firmwares to replace original linksys' firmware [for
    > example x-wrt] which gives you a full access to linksys' hardware, and then
    > it operates as ordinarly linux. tthe sw package contains openvpn which is
    > told to be easy to connect two of those devices into secure and reliable
    > bridge
    >
    > but, you are talking about solution to have routing connection.
    > am i allowed to connect additional router to main location's subnet besides
    > the main router [cisco175, by which the main location is connected with the
    > rest of world]?
    > now, that main router is addressed as "gateway" in the network config, so
    > each comp [including database servers] may communicate with the rest of the
    > world.
    > connecting additional router [instead of my "bridge"] requires me to
    > reconfigure each comp at main loc to recognize that added new router? or
    > not?
    >
    > [sorry, these questions are probably answered in every cisco schoolbook, and
    > i am asking here to much ...]



    In general, IP addresses don't have to stay the same for access to the
    servers, since they're accessed via their DNS names (not that people
    don't, on occasion, hardcode such addresses, but that's usually a bad
    idea).

    You'd have a DHCP server on the new subnet (this might well be
    proxied), so that all the machines would get the correct address info,
    which includes their default gateway (router). There may be some
    routing configuration o do, depending on which routing protocol you
    use, but often the new router, which needs to be configured with the
    correct subnets and whatnot on each interface, will automatically
    start interacting with the existing routers, and they'll figure out
    the network topology so they can all correctly forward packets. So
    the new DHCP server points the machines on the new subnet at the new
    router (plus your normal DNS server and whatnot), and pretty much away
    you go.

  7. Re: bridge - very basic question

    je napisao u poruci interesnoj
    grupi:bc82d49a-7e54-41fd-bc5e-6d25f2af07ea@f36g2000hsa.googlegroups.com...
    On Apr 11, 2:46 am, "sali" wrote:
    > je napisao u poruci interesnoj
    > grupi:e6a72f7a-f302-4b68-a39a-a92a986e6...@a1g2000hsb.googlegroups.com...
    > On Apr 10, 9:14 am, "sali" wrote:
    >


    > and pretty much away you go.



    i don't know why, but our routers and our servers are all organized with
    static ip addresses, and yes, and develop guys hardcoded server addresses
    into our internal bussiness apps [maybe some security reason, i am not sure]

    also, there is usually a problem when network admin changes routers, there
    is never "automatic topology recognition", but he needs few attempts until
    system becomes stable again.
    for such a reason, we employ just star topology mesh, because we was told
    that mesh n x n [every location with every location] is a way too complex to
    be managed efficiently. as far as i know, network admin has hardcoded routes
    and subnets at each router [cisko]. maybe the reason is that our vpn is over
    public network [internet] and routers at locations are at the same time
    nodes of vpn over public network

    thnx again for your explanations, i need a little time to examine it and
    analyse with my netw admin




  8. Re: bridge - very basic question

    On Apr 11, 1:49 pm, "sali" wrote:
    > je napisao u poruci interesnoj
    > grupi:bc82d49a-7e54-41fd-bc5e-6d25f2af0...@f36g2000hsa.googlegroups.com...
    > On Apr 11, 2:46 am, "sali" wrote:
    >
    > > je napisao u poruci interesnoj
    > > grupi:e6a72f7a-f302-4b68-a39a-a92a986e6...@a1g2000hsb.googlegroups.com...
    > > On Apr 10, 9:14 am, "sali" wrote:

    >
    > > and pretty much away you go.

    >
    > i don't know why, but our routers and our servers are all organized with
    > static ip addresses, and yes, and develop guys hardcoded server addresses
    > into our internal bussiness apps [maybe some security reason, i am not sure]



    Routers are almost always configured with static addresses (ignoring
    consumer type DSL/cable routers), and servers very often are. There
    is no gain in security by using hard-coded IP addresses (although that
    a common belief), and a great increase in pain (IOW, you can't ever
    move anything without all the applications breaking).


    > also, there is usually a problem when network admin changes routers, there
    > is never "automatic topology recognition", but he needs few attempts until
    > system becomes stable again.
    > for such a reason, we employ just star topology mesh, because we was told
    > that mesh n x n [every location with every location] is a way too complex to
    > be managed efficiently. as far as i know, network admin has hardcoded routes
    > and subnets at each router [cisko]. maybe the reason is that our vpn is over
    > public network [internet] and routers at locations are at the same time
    > nodes of vpn over public network



    This can be a complicated area, but static routes at edges and VPN
    points are fairly common. But I'm not sure, especially with a simple
    star, that you should see much in the way of trouble, unless they've
    gone to a completely static route setup, but I'll leave that to your
    admins. But if doing something as simple as adding another subnet, or
    just another remote office, is cause for great grief, then somebody
    needs to step back and take a look at what's going on, because it
    really shouldn't be that hard. It may be that you network more
    evolved than was planned, and you've got the classic patch-on-top-of-
    patch situation for your topology and routing, but at some point you
    need to rationalize that (which is rather obviously beyond the scope
    of your immediate requirement).

  9. Re: bridge - very basic question

    On Fri, 11 Apr 2008 09:46:24 +0200, sali wrote:

    > i had in mind linksys wrt54gl which is cheap [eur75] smal linux box.
    > there are ready-built custom firmwares to replace original linksys'
    > firmware [for example x-wrt] which gives you a full access to linksys'
    > hardware, and then it operates as ordinarly linux. tthe sw package
    > contains openvpn which is told to be easy to connect two of those
    > devices into secure and reliable bridge


    Yes, yes, yes, a VERY good solution. You still have all the drawbacks of
    bridging over long distances, but that is about as good as it gets. And
    it costs next to absolutely nothing.

    Mind you, IIRC you may run into MTU issues. But the openvpn mailinglist
    is a very good resource to help you with problems. And mostly it's just
    set up and forget, openvpn is very good and the linksys wrt54 gear runs
    it perfectly. (I actually haven't done it myself, but I know many people
    who have).

    I would go for openwrt, as that is the distro most people seem to use on
    the wrt54.

    HTH,
    M4

  10. Re: bridge - very basic question

    On Fri, 11 Apr 2008 12:35:09 -0700, robertwessel2@yahoo.com wrote:

    > On Apr 11, 1:49 pm, "sali" wrote:
    >> je napisao u poruci interesnoj
    >> grupi:bc82d49a-7e54-41fd-

    bc5e-6d25f2af0...@f36g2000hsa.googlegroups.com...
    >> On Apr 11, 2:46 am, "sali" wrote:
    >>
    >> > je napisao u poruci interesnoj
    >> > grupi:e6a72f7a-f302-4b68-a39a-

    a92a986e6...@a1g2000hsb.googlegroups.com...
    >> > On Apr 10, 9:14 am, "sali" wrote:

    >>
    >> > and pretty much away you go.

    >>
    >> i don't know why, but our routers and our servers are all organized
    >> with static ip addresses, and yes, and develop guys hardcoded server
    >> addresses into our internal bussiness apps [maybe some security reason,
    >> i am not sure]

    >
    >
    > Routers are almost always configured with static addresses (ignoring
    > consumer type DSL/cable routers), and servers very often are. There is
    > no gain in security by using hard-coded IP addresses (although that a
    > common belief), and a great increase in pain (IOW, you can't ever move
    > anything without all the applications breaking).


    Ouch. You bring back painful memories. A security directive I had to work
    with was that routes had to be as small as possible to get the
    functionality done. That ment lots and lots of host routes. This seems to
    be in the same category.

    On the other hand, security is about CIA, Confidentially, Integrity and
    Availability. If the availability of your DNS infrastructure is not close
    to 100%, it actually may make sense to use hard coded IP numbers. Having
    said that, I'm currently involved in a project where all clients have
    some IP numbers hardcoded and the servers are going to move. The new
    servers need to run beside the old servers for various reasons, but in a
    different subnet. Our new outsourcer had fits when we told them their new
    shiney servers could only be deployed by modifying, say 2000 clients. We
    did warn them beforehand, so it's not our problem.....

    M4

+ Reply to Thread