I'll assume you have a Domain Controller (DC) environment - - if not, please correct that assumption
With the DC, you have your own DHCP, DNS, Active Directory and Email services,
and the client systems get IP addresses assigned via the DHCP service.
With a DC setup, we usually see primarily switches and few routers in the network,
as the switch requires less configuration - - but that's all just choices for the admin to make.
I'll discuss using this layout;
Code:
gateway router/firewall = = = primary router#A ----- Infrastructure servers
|
+ ----- dummy honeypot address (x.x.x.254)
|
+ ------ department#1 router (x.x.10.* )---- dept#1 clients
|
+ ------ department#2 router (x.x.20.* )---- dept#2 clients
in router#1(x.x.10.1 ), set a static route directing all (x.x.20.*) to x.x.x.254
in router#2(x.x.20.1 ), set a static route directing all (x.x.10.*) to x.x.x.254
NEVER connect anything to x.x.x.254 (the honeypot dead-end)
All default routes go up thru x.x.x.1 and either out the gateway or into the infrastructure servers.
Any attempt from dept#1 to access dept#2 (or conversely), go to the honeypot and die as Unreachable.
For anything '
held in common' to all subnets, those resources are moved to the Infrastructure servers; if not there, then by definition they are not '
held in common nor shared'
