Network Segmentation
I have a Windows NT Server, Windows 2000 Server (Database) and Linux Box (Internet Server) with 24 clients using the Linux box for internet and Windows NT Server for shared folders in my network.
Now i need to segment this network into 3 groups(segments) and no group should communicate with other group but all the 3 groups should be able to use the shared resources in windows NT Server, Database from Windows 2000 Server and Internet from Linux Box.
All the clients are with Fixed IP and no client is the member of NT Server or Windows 2000 Server, They are just using the shared and database resources.
Please advice me the simple and best technique to implement this.
Now i need to segment this network into 3 groups(segments) and no group should communicate with other group but all the 3 groups should be able to use the shared resources in windows NT Server, Database from Windows 2000 Server and Internet from Linux Box.
All the clients are with Fixed IP and no client is the member of NT Server or Windows 2000 Server, They are just using the shared and database resources.
Please advice me the simple and best technique to implement this.
ASKER
Thanks for your reply. I have a d-link VLAN manageable switch. can u please guide me how to configure the VLAN for my scenario.
Thanks
Thanks
could you please let us know the exact model/type of your DLINK manageable switch? an URL of downloable user manual is also preferred if available. thanks.
Since you want to allow SOME access, you're going to either need:
1.) Multiple servers with triple homed NICs - bad idea.
2.) One armed router with tagging to a switch running your vlans - complicated & expensive.
3.) 3 Ethernet port router - complicated.
4.) 3 Ethernet port firewall - best solution.
With a three ethernet port firewall, you could connect your three segments and then create simple rules which would allow only the access you specify. I'm thinking of a Sonicwall 2040.
http://www.sonicwall.com/products/pro2040.html
With this firewall you could have rules pretty much like this:
From ANY to NT SERVER port WINDOWS FILE SERVICES action ALLOW log
From WINDOWS 2000 SERVER to DATABASE port DATABASE PORT action ALLOW log
From ANY to LINUX SERVER port 80, 443 (WEB, SSL) action ALLOW log
From LINUX SERVER to INTERNET port 80, 443 (WEB, SSL) action ALLOW log
From ANY to ANY port ANY action DENY log
These rules would allow the connectivity you want and give you visibility into the comings and goings of traffic within the network - providing some accountability. Authorization and Authentication would depend on your servers.
The 2040 is about $1500 on the web.
Hope this helps.
1.) Multiple servers with triple homed NICs - bad idea.
2.) One armed router with tagging to a switch running your vlans - complicated & expensive.
3.) 3 Ethernet port router - complicated.
4.) 3 Ethernet port firewall - best solution.
With a three ethernet port firewall, you could connect your three segments and then create simple rules which would allow only the access you specify. I'm thinking of a Sonicwall 2040.
http://www.sonicwall.com/products/pro2040.html
With this firewall you could have rules pretty much like this:
From ANY to NT SERVER port WINDOWS FILE SERVICES action ALLOW log
From WINDOWS 2000 SERVER to DATABASE port DATABASE PORT action ALLOW log
From ANY to LINUX SERVER port 80, 443 (WEB, SSL) action ALLOW log
From LINUX SERVER to INTERNET port 80, 443 (WEB, SSL) action ALLOW log
From ANY to ANY port ANY action DENY log
These rules would allow the connectivity you want and give you visibility into the comings and goings of traffic within the network - providing some accountability. Authorization and Authentication would depend on your servers.
The 2040 is about $1500 on the web.
Hope this helps.
Ps. You could also do it with a Layer 3 switch, which would collapse option 2 into one device - still complicated & expensive.
ASKER
Hi bbao sorry for the delay in responding back my switch is D-Link 1226G here is the url for the manual of this switch ftp://ftp.dlink.com/Switch/des1226G_revB/Manual/DES1226G_manual_30013.zip
I managed to create the VLAN's according to my requirement like A, B and C VLANS
port 1-8 -> A
port 9-16 -> B
port 17-24 -> C
according to my requirement there is no communication between these three VLAN's but now i have 2 servers which are hooked up to the same switch all these 3 VLANS shoullc be able to access them. How can i do this.
I managed to create the VLAN's according to my requirement like A, B and C VLANS
port 1-8 -> A
port 9-16 -> B
port 17-24 -> C
according to my requirement there is no communication between these three VLAN's but now i have 2 servers which are hooked up to the same switch all these 3 VLANS shoullc be able to access them. How can i do this.
>>2 servers which are hooked up to the same switch all these 3 VLANS should be able to access them. How can i do this.
1.) You have a routing process on your switch (a layer 3 switch) which can route vlans - or there's a one armed router which can receive tagged vlan traffic and route for you.
2.) You have server NICs which are capable of receiving 802.1q vlan trunking tags and you put sub interfaces on those NICs.
1.) You have a routing process on your switch (a layer 3 switch) which can route vlans - or there's a one armed router which can receive tagged vlan traffic and route for you.
2.) You have server NICs which are capable of receiving 802.1q vlan trunking tags and you put sub interfaces on those NICs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear bbao thanks for your help What i did is i allocated ports for 3 vlans and 24 25 i connected the server while allocating the ports for the VLANS i included port 24 and 25 in each VLAN, it started working accoering to my needs perfectly.
but i failed to notice one thing here. VLAN A computers are connected to the switch and VLAN B is connected to another switch and there is a link between VLAN A switch and VLAN B switch but unfortunately the other 8 computers(VLAN C) connected to one more switch where there is a link from VLAN B switch.
In this scenario how can i make VLAN C as a saparate VLAN since it is getting the link from VLANB Switch.
IF VLAN C switch is having a direct link from VLAN A switch then i would have included the uplink cable port in VLAN C so that they falls under saparate logical network.
is there any alternative for this?
but i failed to notice one thing here. VLAN A computers are connected to the switch and VLAN B is connected to another switch and there is a link between VLAN A switch and VLAN B switch but unfortunately the other 8 computers(VLAN C) connected to one more switch where there is a link from VLAN B switch.
In this scenario how can i make VLAN C as a saparate VLAN since it is getting the link from VLANB Switch.
IF VLAN C switch is having a direct link from VLAN A switch then i would have included the uplink cable port in VLAN C so that they falls under saparate logical network.
is there any alternative for this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are right Jeff, I have allready decided to upgrade my second switch to VLAN based switch.
Thank you guys
Thank you guys
1. use three hubs to physically segment the three groups of computers
2. install three network adapters on each server which should be accessed by other groups of computers
scenario 2: if you have a L3 switch available.
1. create four VLANs on the L3 network switch
2. enable routing between VLANs
3. disable routing between the three VLANs for above-mentioned computer groups
hope it helps,
bbao