I'm sorry, there was a mistake.

The cobol application works with the IP ADDRESS references.

Bye

Andrea.

No, one requirement is to keep the current IP Address on PCs. So I cannot subnetting.

Otherwise it is very simple ;-)

Bye

I had similar problem and using NAT solved it for me.

As the other server just saw the one IP all the time and the firewall ( who's name will not be mentioned but you get the point ) handled it all. I only had about 30 PC's..

But if the remote server needs to talk to specific machines based on IP and MAC then it's a worry,,

Oz

Not that I am the big bridging guru.

but can you not run a bridge from each floor to one server with 4 nics one for each bridge and another to the switch where all the servers are ??

then the acl can keep the floors away from each other ?

Oz

Oz,

I cannot understand what you suggested.

What is the server's role?

Thanks

Andrea

the server is really just being a router.

just a point to aggregate all the traffic

using say gigabit NIC's

then the other NIC uplinks to the 4008

But the key here is you have all the 3 Vlans now at an IP level so to speak.

So ACL can control each VLAN .

but hey if you have windoze 2 k you can keep the users out via permissions ?????

Oz

>the server is really just being a router

A router cannot have different interfaces on the same subnet.

>So ACL can control each VLAN

Acl for 400 Pcs noooo!

Keep in mind that I don't have a hierarchic ip address assignement, so create access-list is very hard.

Also think to performances (upling are in gigabit!)

Andrea

Well, it's not really routing per se..but with win2k you can do some cool stuff without a router and still route.

Her is what I have on one of my test boxes in the lab

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : 3Com 3C918 Integrated Fast Ethernet

Controller (3C905B-TX Compatible)

Physical Address. . . . . . . . . : 00-C0-4F-68-98-DC

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 216.254.100.15 ( blocked by my ISP but lets me terminal client into other pc's out side the firewall)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.1.1.114

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.1.1.2

DNS Servers . . . . . . . . . . . : 216.254.95.2

216.231.41.2

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast

Ethernet NIC

Physical Address. . . . . . . . . : 00-E0-7D-00-86-64

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.1.1.11

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.2

DNS Servers . . . . . . . . . . . : 127.0.0.1

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Compaq NC3121 Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-08-C7-72-CF-B3

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.1.1.75

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.2.1

DNS Servers . . . . . . . . . . . : 127.0.0.1

216.254.95.2

So you could have similar and have each floor uplink to each NIC on the server then have one or two more NIC's uplinked to the 4008 and those two can do load balancing thru windoze ..I think ( have to read up but I am pretty sure you can).

The questions are.

1. Do you have budget to add more equipment ?

if no then the multiple NIC are an answer but you will have to rely on NT security to keep them out of each other.

2. To bridge is going to be hefty price wise

3. Once you write the ACL they should not change that much... I have seen them with 700 lines andd as long as you write them clean and careful it's OK.

Don't forget you only have to permit a heap and the deny any any will take care of the rest

4. Who says you have to NAT at the end by the servers. You can NAT on each floor.. Each floor have it's own FW and this would reduce it down to 100 or so PC's no big deal there .

I understand about throughput, how much traffic is REALLY running across each floor ??

You can have firewall run 1 Gbps easily not cheaply (grin)

Just a FWI

I have customer who has about 50 Unix boxes blasting anywhere from 250 meg to 1 gig files all day across a Sparc box with 3 gig NIC's and its 500 hz or so cpu with a gig of RAM and it handles it like a champ

Oz

Thanks Oz,

nat is a good point, but as you know, I have about 400 Pcs and 20 servers, so I don't want to use static nat!. Dynamic nat (one to one) could be fine, but I'm afraid about the consequences that nat can have on a windows 2000 client server network (that's what I have!). I'm referring e.g. at domain authentication process (with kerberos!), wins and dns names resolution and so on.

Andrea.

I didn't say it would be easy (grin)

and I can do it on a checkpoint box for sure ..

But using a PIX and CSPM would be a worry ( frown)

I have set up here in my lab where a customer comes from a double NAT (windoze 2K --> NAT Cpoint--->my DSL--> internet<-- cable <-- modem NAT <-- Cpoint FW NAT-- host.

So it can be done..

I would look at WINS and see if you can dump it .. You DNS why bother with WINS it's easier just to add a couple of hosts files if needed

Oz

I'm afraid about complexity (specially when troubleshooting).

I want to keep it as simple as possible. If it becomes more complicated I prefer to say my customer "sorry, it's no possible".

Also performances are a point that we must respect. Nat is good for slow connection (Mb) but I think that, with gigabit connection, nat could be a bottle neck.

Andrea

sshant,

the servers are connected to a catalyst 4006.

Thanks anyway.

Andrea.