Solved

Seperating networks on same physical media

Posted on 2000-03-27
16
295 Views
Last Modified: 2010-04-17
Ok here's the setup.

Currently we have about 200 mixed machines set up on the same subnet.  By mixed I mean business app machines and a few process control machines.  One process control server and about 5 clients.  Currently all machines are behind a router on subnet xxx.xxx.74.xxx.

The desired result is to have the Process control machines to be on the network as if it were seperate.  This could be acheived by running seperate cable for the 6 machines involved and connecting them to their own router(to connect to the rest of the network.  However the cost of running cable etc is not desired.

So how do we get the 6 process control machines and the 200 or so business machines to co exist on the same physical network but to not be in any position to see each other.  Meaning I don't want to be able to sit down at a businness machine and see the process control machine on the network**.  I don't want packets that are meant for machines on the xxx.xxx.74.xxx network going to any of the process control machines.

The process control machines could be set up on their own subnet say xxx.xxx.19.xxx.

** In some cases we may want specific business machines to see the process control machines.

I'm guessing when I'm thinking that we could change the process control machines to the 19 subnet and update the router so it knows to pass on packets for 74 and 19 subnets.  Clients on 74 should then not be able to see 19??  Ahh I really don't know that's why I asking 8-)

If I have been unclear of the situation or desired result let me know.

Gordon
0
Comment
Question by:Haps13
  • 6
  • 3
  • 3
  • +3
16 Comments
 

Expert Comment

by:hself
Comment Utility
What kind of Router are you using?  Number of ethernet interfaces?
0
 
LVL 1

Author Comment

by:Haps13
Comment Utility
That I'm not too sure about.  What kind of router would I need to be using to achieve the desired result?  And how
0
 
LVL 3

Expert Comment

by:apadua
Comment Utility
Here's a crazy idea that, in theory, would work fine.

First, since switches and hubs are layer 2 or lower devices, they don't care what IP your machines have. The switches use MAC addresses to determine destination ports, and the hubs simply don't analyze anything. So you could perfectly use two different network addresses on the same segment. The problem would be that you wouldn't ever get a machine on network A to see a machine on network B, and you'd have little control over the use of your network (and if your users are smart, they can change the IP addresses on their machines to access the other network).

Ok, so now you have two different IP networks communicating over the same segment. Since you want the two to talk to each other, you'd need a router that has two ethernet ports. You'd put one IP address on each port, and connect both ports to a hub or switch on this network. You'd use the router to , basically, convert IP addresses.

The only problem I can see is with ARP queries. I guess you'll have to test it.

Good luck,


Andre
0
 

Expert Comment

by:hself
Comment Utility
If you have a router with two ethernet interfaces, you can user the router to segment your network.  Place one subnet on one of the ethernet interfaces, and the process control machines on another subnet using the other ethernet interface.
Then use acess list to allow only the machines that need to see the process control machines.
Granted this solution is more detailed than I outlined above, but should provide everything you are looking for.
0
 

Expert Comment

by:hself
Comment Utility
It also depends upon what kind of router you are using.

Hoyt
0
 
LVL 1

Author Comment

by:Haps13
Comment Utility
hself Is what your talking about within the guidelines of Network A and Network B being on the same physcal cable segment.  Or are you talking about 2 seperate network segemnts?
0
 
LVL 1

Accepted Solution

by:
awetherhold earned 400 total points
Comment Utility
It would help if you could find out what type of switch and router you are using, but in essence what you what to use is a VLAN (assuming your switch will support it).  What a VLAN allows you to do is take individual ports on a switch and assign them to a ‘Virtual’ LAN.  Each VLAN is independent of the other, thus separating your network.  This fits your needs because it doesn’t require any addition wiring or hardware (once again assuming your hardware supports VLANS).

What you need to do is create 2 VLANS, group A and group B.  Next add all the computers in each group to their respective VLANS.  From that point on, the two networks will not be able to communicate with each other.


Here is a link on Cisco’s web page that will describe VLANS in more detail.

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi_1/cwsi1_ug/vldug/overvw.htm


If you’re hardware doesn’t support VLANS then you have two choices, you either have to physically separate you network, or separate it at the OS level (multiple NT domains for example).
0
 
LVL 1

Author Comment

by:Haps13
Comment Utility
What I meant by asking is what kind of router will do this.  Wat's a good.  Preferably Cisco.  If we don't have one that will do it we will buy one.  
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:Haps13
Comment Utility
Ok one other question.  Is their a way within the configuration of the router to allow for ip forwarding from specific computers.  IE the 3 computers from Network B(with dedicated ip's) that need to see network b.
0
 
LVL 4

Expert Comment

by:erik_nodland
Comment Utility
You can just use access lists to deny or permit any computer to talk to any other device. If your router doesn't have 2 ethernet interfaces just use a secondary ip address on the same ethernet interface. Cisco will do it, not sure about anything else.
0
 

Expert Comment

by:tmutsambwa
Comment Utility
I have a similar problem
0
 

Expert Comment

by:tmutsambwa
Comment Utility
I have a similar problem
0
 
LVL 1

Expert Comment

by:awetherhold
Comment Utility
If you do want some routing between the two networks then your going to need ACLs as someone already mentioned.  You can still use VLANS (as you only need one switch) you would then place a router between the two VLANS with the ACLs that you want (ie let those 3 computers see both networks, but no other computers).  

As for equipment, almost all Cisco routers now come with the ability to use ACLs as well as most of their switches come with VLAN ability.  It’s hard to specify equipment without knowing current needs as well as future growth.  You could implement what you asked for with a Cisco 2611 & a 2924 with a couple hubs for under $6,000 or you might want the growth of a Catalyst 6000 with a 7500 router for future growth and be spending something around $35,000.
0
 
LVL 1

Author Comment

by:Haps13
Comment Utility
Thank you.  We currently have a Catalyst 5000 in place.  So the need for additional hardware shouldn't be an issue.

You have pretty much answered my preliminary questions that it is possible.  Now I just have to get into all the nitty gritty of setting it up. 8-)  Time to do some reading

0
 
LVL 1

Expert Comment

by:awetherhold
Comment Utility
Sure.  Since you're using a Cat 5000, you may want to look into ISL.  Here is more documentation on routing at the switch level.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_c/xcprt7/xcdvlisl.htm#22261

0
 
LVL 1

Author Comment

by:Haps13
Comment Utility
Thank you.  We currently have a Catalyst 5000 in place.  So the need for additional hardware shouldn't be an issue.

You have pretty much answered my preliminary questions that it is possible.  Now I just have to get into all the nitty gritty of setting it up. 8-)  Time to do some reading

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now