Just got finished cleaning up from a little issue that I blew up into a
big one...which moves me to ask regarding another plan we have:

We want to insert a firewall device in between our core router and our
Clean Access Server which handles the main campus subnet -- very
visible, very complex set of manually-assigned DHCP addresses, etc.

At the moment, we have a little /28 subnet in between the router and the
CAS. Either we need to change this subnet, and so change the trusted IP
address of the CAS to match, or we need to change the routing statements
on the core router. If this were all, I'd know which option I'd pick in
a flash!

Problem is, our CAM is /also/ in this little subnet, so it has to move
as there are no ethernet ports into which it can go when the firewall
goes in. Is it easier to change the IP address of the CAS or the CAM?
Any other gotchas you know about? Recommended approach to keep this from
blowing up while we work?

 --------   ---------------   ------   ----------------
 |router|---|new firewall |---|CAS |---| campus users |
 --------   ---------------   ------   ----------------
    |
  ----
 |CAM |
  ----
-- 
Regards,
-- Cal Frye, Network Administrator, Oberlin College
   www.calfrye.com,  www.pitalabs.com

What are your car's brakes for? They permit you to drive faster...
Control is the key.