Will a bridge help me here?

[marshallw]

I'm setting up a lan which has 5 static ip's at its disposal. However, there are 5 workstations as well as two network printers. What would be the best way to make those printers accessable to the network? Would a bridge help? I've never used one and would appreciate any info on this or on any other way to solve this problem. The printers are on a totally different schema than the rest of the network, but of course this is configurable.

thanks,
marshall

 

[PlatinumGold]

why only 5?

are they external (internet) ip addresses or are they all corporate IP addresses? if they are corporate why are you limited to five?

if they are all external (internet) ip addresses, do you really want your whole lan exposed to the Internet w/ no firewall?

 

[marshallw]

The company is switching from a fractured t1 to a dsl and basically will be using terminal services to connect to the server in another city. The provider gave them a range of 5 ip addresses for their use. I have suggested that they increase this number, but that of course means more money.

 

[marshallw]

Also, the network is being routed by a cisco router, which provides some protection.

 

[Santa]

Sounds like you are new to the whole LAN/WAN setup issue.

As Platinum suggested beware of not using a firewall.

Since you are talking about a "limited" number of IPs from a provider you are talking about an internet line.

Get a router expert in to do a NAT for your network so you can utilize either a pool of IPs you were provided or a single IP.

This way no additional cost (except cost for the consultant) and you will be flexible in the future.

On top of getting the NAT done I would look into purchasing a Firewall to stick between the router and your internal LAN.

Either do this or the very very very very minimal place Access lists on your router.

If this is a work network I would explain to them that this is not a place to skimp or try and go cheap since it is a very critical entry point into your network.

<EDIT>

Your extra post about "routed by a router" does not mean you can access all the IPs. If it is correctly setup then you should have nothing to worry about. But if you are not sure then I would get someone in to check out the configuration.

If the router is your entry point then you do not need to worry about number of IPs since you can do NAT and run it through the router.

DO NOT assume that just because it is a Cisco routing doing your traffic routing that it is safe. Assume it is not safe unless you properly identify why it would be safe (Checking and rechecking the Access List it may/should have)

 

[marshallw]

ok...I will certainly suggest the firewall to them, although honestly i dont think they are too concerned. Outside of this, would setting up DHCP be a potential solution to the problem?

 

[Santa]

Static or DHCP behind a properly configured NAT router has no bearings at layer 3 (networking, routing layer)

That is more of an issue with ease of administration.

You can run a static network behind the router just as easy. Probably would be easier to do static IPs if you are going to be only 5 machines and 2 printers forever. You won't have to worry about a DHCP server or how to install, configure, and administer one.

Just make sure you have your NAT setup correctly to route the IPs your clients are assigned (via static or DHCP) and you will be able to access everything you will need.

At the very least suggest they hire in a proper Cisco consultant to configure the router to block out unwanted traffic since not doing so you might as well just randomly pick a day of the week in which you want to be hacked.

 

[n0cmonkey]

Personally Id just setup a NAT/Firewall (like OpenBSD and PF/IPF and IPNAT ) and protect the workstations. If there are any servers you can easily map an extra external ip to an internal ip the server is using.

EDIT: printers are usually an easy way to access a network. Even if you cant do much from them you can create a little havoc

 

[PlatinumGold]

ya

i c no reason to use all 5 ip addresses.

if u don't want to spend money on a physical firewall, Win2k Server offers the Internet Security and Acceleration server. i'm not sure what MS charges for it, but it works as a firewall. of course installation is a b!tch.

definitely do not hook up everything to the external (internet) IP addresses.

if you are the branch office connecting to main office elsewhere use a VPN Router and 1 IP address. set up a VPN Tunnel from you office to main office.

just some random thoughts.