On Mon, 17 Feb 2003, Greg A. Woods wrote:

> [ On Monday, February 17, 2003 at 12:20:42 (+0000), Stephen Borrill wrote: ]
> > Subject: Re: Replacing oddly networked NT machine
> >
> > Well, we _could_ (and I suggested as such), but they didn't want to re-IP
> > the machines unless strictly necessary.
> 
> You say they're using DHCP for the majority.  If you use arpwatch on the
> gateway box to discover the rest then it will be a quite quick and
> painless renumbering, especially if you can get someone to help wander
> around to each machine and reconfigure it to either also use DHCP, or to
> use some static IP allocated carefully from outside the DHCP range.  If
> you set up private reverse DNS for the nets you're using then you can
> use the DNS zone files to do the allocation accounting of IP address
> space too!
> 
> Renumbering really is the right thing to do here.  The current
> configuration is really badly broken.  It probably doesn't even work
> 100% properly under M$-NT, though it might be harder to see the problems
> there.

No, it's not the right thing. Arbitrary machines will probably want to be
video-conferencing to other machines in the WAN or such like. At the
moment those machines are set up to be part of the whole WAN; there are
just security concerns regarding how much access external machines (in the
WAN) will have. Renumbering and NATing will mean port redirection which is
more administration.
 
> > As for the choices of IP addresses, this is part of a big WAN and we
> > aren't really free to use our own choice of private addresses (for
> > instance, if a direct IP connection was needed to another part of the WAN 
> > we could clash).
> 
> Well then get the WAN admins to allocate you another /24 from 10/8!

That will not be done. This is a _big_ WAN covering many, many sites and
spread over a very large distance. The IP addresses allocated by the WAN
people are effectively set in stone.

> Actually if you've claimed you're already using a /16, but you don't
> need it that big (you say /24 is lots for now), and if that /16 is
> already allocated to you by the WAN, then you can subnet it yourself any
> way you please -- perhaps into /18s or /20s?

Sorry, the /16 was a simplification (or a lie, depending on how you view
it). The truth is it's /22. /24 is not lots, we are looking at way over
300 workstations, plus a significant number of servers.

bridge and ipf sounds like the route to go, I think. Until recently, this
was not a possibility though.

-- 
Stephen