views:

39

answers:

1

The correct answer to question [1] below is:


Configure SrvA with no default gateway address


What I cannot understand -

1)

Why would it prevent the hosts on subnet B to connect to hosts on subnet A and through them to SrvA (since they, according to the task solved and correct answer, would continue to have access to SrvA)?

1a) why it would prevent the direct connection to a host (with a server) from another network at all?

2)

Why does the ability of a server to communicate influence the communication abilities of hosts on a network?

2a) Are servers needed for hosts to communicate with hosts on another subnetwork?

2b) and why only with foreigners - hosts from another network?

Why the absence of default gateway address on a server would prevent the hosts from another network to communicate with a server if there is only one possible external output (through a router separate from servers) between networks, i.e. anything not-found locally should probably be destined by router to another network ?

3)

What is the difference between "connect" and "establish session"?


[1]

2 private neworks A and B are connected by a router.

A server named SrvA (in subnetwork A) functions as an intranet Web server for the human resources (HR) department.

A server named SrvB (in subnetwork B) is a Microsoft Exchange 2000 Server mail server.

SrvA contains confidential documents that must be accessed daily by users on only the A subnet.

All users must be able to connect to SrvB.

You want to configure the TCP/IP properties of SrvA to prevent any computer in the subnet B from establishing a session with SrvA.

What should you do?


[2] Explanation to correct answer "Configure SrvA with no default gateway address"

In order to communicate with SrvA, the clients in the network B have been configured with a default gateway address, that is, the address of the router.

For SrvA to communicate with the clients in the network B, it has to be configured with a default gateway address (the address of the router). Removing the default gateway from SrvA will prevent computers residing in the subnet B from establishing a session with SrvA.

SrvA will however continue to be able to communicate with clients in the network B. This will ensure that the confidential files will be accessible only by users on the subnet A.

A: 

If you were to put no Default Gateway on Srv A, then nobody that's not directly connected to the server will be able to connect to it.

1 & 1a) If anybody outside of subnetA (who arent directly connected) the traffic would probably make it to the server, but with no Default gateway, the server wouldnt know how to get the traffic back to the distant host, and drop the packets.

2)unless the data goes TO THE SERVER FIRST, this shouldnt effect the connection with the other hosts, just the connection to the server. IF all the data goes to and from this server first before it leaves subnetA, then it would effectively be cut off for reasons in #1

3) an "established connection" has passed some sort of handshake saying that the the 2 hosts will pass traffic. IE, TCP's 3 way handshake (im here, i see you, lets pass traffic), just a simple connection is a little vague, but i guess you can say it would encompass all kinds of connections, both "established connections" and connectionless with protocols like UDP ("a one way, dont care if you get the data connection")

Now, my suggestion is to add the default route back in. Your just hurting yourself in the long run without it. Try googleing up some information about putting ACLs (access-lists) on your router.

with ACLs you can specify "this subnet cant go to this IP address or subnet" the IP being that of your server.

dont quote me but it would be something like

ip access-list 1
deny all
allow any any

then you apply it to the interface going TO serverA with something like this:

ip access-list 1 out

it will look something like this (sorry for not useing code blocks) this will deny the users in subnetB to send traffic OUT to serverA without effecting any other traffic

This is probably the preferred method. I STRONGLY SUGGEST NOT FOLLOWING THE ANSWER YOU HAVE IN YOUR QUESTION that will cause much more harm than good. I hope this helps

tony_p
tony_p, thanks,I added to initial post the explanation [2] to correct answer [1]. The router is single exit point, anything not destined to local hosts will be routed to correct network (no other choice), the be lost through wrong exit.Then, each client is configured with its own default gateway address. Why do the hosts need server to communicate between each another?through a server?I have network without server where hosts communicate. Did I undrstnd correctly that SrvA cannot reply, i.e. estblish session, to hosts from B but all hosts can cmmunicate btween dffrnt ntworks?
vgv8
im not getting how your router is set up, but it needs a default routeSince Srv A doesn't have a default route, It wont be able to connect to anything outside of Its subnet. This should have no impact on the rest of the network.if your routing is set up correctly Nodes in SubA should be able to talk to Nodes in SubBThe Default Route just says "Hey, for addresses i dont know about, send to this address" which should be the router or next layer 3 device. The RTR then sends the packet to its destination on the other subnet
tony_p