2 Domains, 1 Subnet

Discussion in 'MCSE' started by TBone, Apr 3, 2009.

  1. TBone

    TBone Guest

    After I wrote that I realized *what else* it might seem like...

    Yet I'm hoping to get a serious answer...

    I am simplifying our network, but I have an ongoing argument with the
    owner of the company (who admits to knowing nothing about networking)
    that our production domain and test domain should be on separate subnets
    (ie. 10.1.1.x and and 10.1.2.x). He says that he wants the management of
    the network to be simplified and therefore we should run both domains in
    the same subnet. We have about 100 workstations and 10 servers, so this
    is not a big network by any means.

    I know it can be done either way. The reason I'm posting is to hopefully
    call on the collective experience of the froup about the advantages of
    doing this one way or the other.

    Only caveat is users in the production domain will need to be able to
    connect and work with servers in the test domain.

    -------

    Thanks,
    T-Bone
    MCNGP XL
     
    TBone, Apr 3, 2009
    #1
    1. Advertising

  2. TBone

    James Guest

    TBone wrote:
    > After I wrote that I realized *what else* it might seem like...
    >
    > Yet I'm hoping to get a serious answer...
    >
    > I am simplifying our network, but I have an ongoing argument with the
    > owner of the company (who admits to knowing nothing about networking)
    > that our production domain and test domain should be on separate subnets
    > (ie. 10.1.1.x and and 10.1.2.x). He says that he wants the management of
    > the network to be simplified and therefore we should run both domains in
    > the same subnet. We have about 100 workstations and 10 servers, so this
    > is not a big network by any means.
    >
    > I know it can be done either way. The reason I'm posting is to hopefully
    > call on the collective experience of the froup about the advantages of
    > doing this one way or the other.
    >
    > Only caveat is users in the production domain will need to be able to
    > connect and work with servers in the test domain.
    >
    > -------
    >
    > Thanks,
    > T-Bone
    > MCNGP XL


    Personally, I would split them up and only allow the access that is
    necessary to perform testing. You could use ACLs to block access to
    resources if needed during development, and then open them back up for
    testing.

    It is more work, but there are benefits. Then again, as long as you
    have explained the pros and cons to management, it is their problem at
    that point, and their responsibility. If the owner of a company wants
    to do something against the recommendations of his trusted staff, at
    some point you have to just comply.

    Good luck,

    JB
     
    James, Apr 3, 2009
    #2
    1. Advertising

  3. "TBone" <reply2me@thenewsgroup> wrote in message
    news:Xns9BE27505C480Areplyhere@207.46.248.16...

    > I am simplifying our network, but I have an ongoing argument with the
    > owner of the company (who admits to knowing nothing about networking)
    > that our production domain and test domain should be on separate subnets
    > (ie. 10.1.1.x and and 10.1.2.x). He says that he wants the management of
    > the network to be simplified and therefore we should run both domains in
    > the same subnet. We have about 100 workstations and 10 servers, so this
    > is not a big network by any means.
    >
    > I know it can be done either way. The reason I'm posting is to hopefully
    > call on the collective experience of the froup about the advantages of
    > doing this one way or the other.
    >
    > Only caveat is users in the production domain will need to be able to
    > connect and work with servers in the test domain.


    This latter point is exactly the reason why they must be in the same subnet.

    Or else, you'll need to install and maintain some sort of router
    functionality so that traffic can get from subnet 'A' to subnet 'B'.

    Truth be told, what you have here is two different network topologies, that
    each should be evaluated independent of one another.

    Domains are security boundaries for users and resources. If users in the
    production domain need to connect and work with servers in the test domain,
    then the test domain is going to have to trust the production domain. At
    this point, it begs the question of what the value of a separate domain
    actually becomes.

    IP Subnets are logical (broadcast) boundaries to control network-level
    traffic. If members of group 'a' routinely need to access resources in group
    'b', and both groups are on the same *physical* LAN infrastructure, then the
    complication of separate subnets most likely outweighs any perceived
    disadvantage of having them all on one network.

    The *only* reason I could justifiably see creating multiple subnets on the
    same physical LAN is if one or the other group has more than 250 devices...
    but even then, it's trivial to use CIDR masking and create a subnet with
    >255 host addresses.


    Without more information, I'm hard pressed to see the justification for
    either a separate domain =or= a separate IP Subnet, and if your primary
    objective is to simplify the network, then take a lesson from the earliest
    "Active Directory Domain Services" training literature way back in 1999
    which stated simply (and paraphrased): Unless you have a justifiable need
    for more than one domain, ONE domain is what you should configure.

    What you need for your test network is a separate =OU=. :)


    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Apr 4, 2009
    #3
  4. TBone

    Gabe Guest

    In a small network its not likely going to be a performance problem. There
    may be security issues related to your coworkers seeing things that have not
    yet been released, perhaps even using things that are not ready to be used
    yet...

    Will your test environment be "poluted" by being connected to the same
    subnet as the production environment? If so, your argument could be that it
    would invalidate your testing.

    --
    MCSE since 2000
    Systems Integration
    Navy Reserves


    "TBone" wrote:

    > After I wrote that I realized *what else* it might seem like...
    >
    > Yet I'm hoping to get a serious answer...
    >
    > I am simplifying our network, but I have an ongoing argument with the
    > owner of the company (who admits to knowing nothing about networking)
    > that our production domain and test domain should be on separate subnets
    > (ie. 10.1.1.x and and 10.1.2.x). He says that he wants the management of
    > the network to be simplified and therefore we should run both domains in
    > the same subnet. We have about 100 workstations and 10 servers, so this
    > is not a big network by any means.
    >
    > I know it can be done either way. The reason I'm posting is to hopefully
    > call on the collective experience of the froup about the advantages of
    > doing this one way or the other.
    >
    > Only caveat is users in the production domain will need to be able to
    > connect and work with servers in the test domain.
    >
    > -------
    >
    > Thanks,
    > T-Bone
    > MCNGP XL
    >
     
    Gabe, Apr 7, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cookie-monster
    Replies:
    2
    Views:
    569
    Moz Champion
    Mar 7, 2005
  2. Vass

    Subnet a subnet mask?

    Vass, Aug 26, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    786
  3. Replies:
    16
    Views:
    4,827
  4. Replies:
    5
    Views:
    1,285
    Walter Roberson
    Jan 18, 2007
  5. Amadej

    Cisco 1812 subnet to subnet NAT

    Amadej, Sep 3, 2007, in forum: Cisco
    Replies:
    1
    Views:
    3,510
Loading...

Share This Page