DHCP/VMware question?

Discussion in 'Networks' started by John Neerdael, Feb 7, 2009.

  1. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    If you are concerned about ports you can configure a packet filter on the NIC of the domain controller which will only allow traffic through that you want. Therefore you can have the PCs on the same LAN and control what traffic is accepted by the DC.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  2. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    But isnt that putting another unneeded load since our firewall is a packet filter that is already in place?

    About the reference in the final report; could do :biggrin
     
    WIP: MCTS: 70-640
  3. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    What load? Its just a packet filter on a NIC :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  4. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Well I honestly have no idea how that works :D
     
    WIP: MCTS: 70-640
  5. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    hee hee!

    Seriously though, once you start configuring all of this for real it should make more sense.

    This is why lab work is a good thing 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  6. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Btw, What is a good way to go by setting GPO's, Would it be best to lockdown the Default GPO as much as possible and then open up things for certain OU's or would you leave the default GPO untouched and lockdown within OU's where needed.

    Personally I would go by the default restrictions and then opening them up where needed but I'm not 100% sure if this is correct reasoning?
     
    WIP: MCTS: 70-640
  7. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Looking good. Just to say that if you are using ISA server then you will not need another firewall between the DMZ and the LAN. ISA does that for you, unless I'm getting your config wrong.

    You can add another external IP address to the external network card as well, if there are other external IP addresses required (this being for the external NIC).
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  8. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Dont change too much in the default GPOs. Best to add other GPOs as needed. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  9. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Thanks Sparky, another question to fire away. DHCP related; why would I set the DHCP scope at 80%/20% (dc1/dc2) and not 50/50. I havent setup a DHCP Relay Agent before but in normal circumstances wont ip's be handed out by the first dhcp offer the client will recieve after it's dhcp discover. Now since ISA as a relay agent will create a unicast from this broadcast must the relay agent then be setup to forward requests to DC1 and automatically to DC2 if that fails, or will it send it to both DC's at once and just take the offer first received like in normal circumstances?

    Oh and a small subnetting question is it correct of me that when I have a network: 192.168.2.0/23 that
    192.168.2.255 & 192.168.3.0 are actually valid ip's on this network (Since 192.168.2.0 is the invalid ip & 192.168.3.255 is the broadcast address)?

    Also would the RRAS best be run on a server in a DMZ or on the ISA firewall itself? Since I've been seeing some tutorials on isaserver.org about using your ISA server as RAS unless I understand it wrong.
     
    WIP: MCTS: 70-640
  10. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    John, I think its great that you have alot of questions. Without wanting to sound harsh, I think it's time you started finding out the answers for yourself.

    Good luck with your project, with any network deployment, there are some areas which a no no's and other which are down to preference and what you are trying to achieve.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  11. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    You can configure the DHCP relay agent to forward requests to more than one DHCP server. I *think* it will query them in order until a DHCP server hands out an IP.


    I believe so (unless someone wants to correct me here!) if you are running one subnet.



    Best to run it on the actual ISA server, rules will be generated when you configure the type of VPN you want (PPTP\L2TP) so that VPN clients can communicate with the internal network.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  12. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Yeh I'm setting up the lab vm's as we speak. The last DHCP question really is a lazymen's question I have to admit, can easily see what it tells me when trying to install the relay agent. As for the subnetting question thats easy to test aswell, even with 2 xp workstations.

    The best place to set a RAS in a network, well guess I'll just have to google some more for that since we havent touched RAS at school just yet.

    Thx Craigie

    @Sparky, thanks for the input. I'll test the subnet out today and the dhcp relay agent later and post my findings then :)
     
    WIP: MCTS: 70-640
  13. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Noticing odd behaviour when testing connectivity between 2 hosts.

    If Host A = 192.168.2.254 it can ping to 192.168.3.0 when they are in subnet 255.255.254.0
    However if Host A = 192.168.2.255 it cannot ping to 192.168.3.0
    Host B cannot ping to Host A @ 192.168.2.255 if it has 192.168.3.0 or any other ip
    Host B can ping to Host A @ 192.168.2.254 with ip 192.168.3.0

    So atm it seems that in a 192.168.2.0/23 network segment 192.168.2.255 is a invalid ip but 192.168.3.0 is valid? Weird....

    [​IMG]

    Does anyone know about any documentation on this that I could read up on?

    Edit:
    Apparantly this is a limitation you get stuck with if you try to build a larger class network from the C-class private address range. I'm sure alot of you didnt knew this yet neither.

    I tested the same out but now on 172.16.2.0/23
    Host A: 172.16.2.255 / 255.255.254.0
    Host B: 172.16.3.0 / 255.255.254.0
    And tadaa full connectivity between both!

    [​IMG]
     
    WIP: MCTS: 70-640
  14. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    How are you testing this mate? Do you have gateway device that will handle the routing?

    Do you have a gateway device that has an IP of 192.168.2.1/23?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  15. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    No just two single workstation that are on the same network. No gateway should be needed for pc's to communicate with eachother when they are on the same network segment right? From what I know a gateway is only used to connect to computers that are outside their own network segment.

    Anyways it works like this for 172.16.2.0/23 and not for 192.168.2.0/23
     
    WIP: MCTS: 70-640
  16. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Correct, just wondering if a gateway device would route the traffic correctly though.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  17. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    I'll make sure to test it out once my lab is running completely and let you know :) My teacher told me you should NEVER use .0 or .255 even if the netmask defines them as valid ip's. Now I'm a bit fuzzed, does anyone happen to know about the specifics on this? According to my teacher a dhcp server will automatically never hand out a ip adress that end on 255 or 0 even if it's in the scope and a valid address, not sure if this is correct or incorrect neither, I'll test this out aswell later this month.
     
    WIP: MCTS: 70-640
  18. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Your teacher is correct and there is a very good reason for this.

    Follow this linky to learn why
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  19. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Everything's starting to work out nicely guys :D But our project deadline is nearing however. DHCP Relay Agent was simple and is working over VMWare for us, also Automatic Firewall Client Deployment & Discovery, our Perimeter website is correctly accessable, etc etc. Now we need to get WSUS running on a server behind the ISA firewall.

    Does anyone perhaps know where I can find a guide on allowing automatic Windows Updates from 1 server to the internet.
     
    WIP: MCTS: 70-640
  20. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.