pajiao
asked on
Separating departments
Hi,
I have a scenario where i need to segregate the various departments of my company so that i have control which department can see which and which cant see any department, who can use internet etc. I am wondering if using routers can achieve this? If yes how? Else what could i do except using expensive domain controllers?
Rgds
I have a scenario where i need to segregate the various departments of my company so that i have control which department can see which and which cant see any department, who can use internet etc. I am wondering if using routers can achieve this? If yes how? Else what could i do except using expensive domain controllers?
Rgds
ASKER
Hi,
What about those home based routers such as Linksys that comes with a 4port hub? Will these work well too?
Rgds
What about those home based routers such as Linksys that comes with a 4port hub? Will these work well too?
Rgds
ASKER
I am refering to using those linksys home routers with 4 port hub on each department
Are you looking to subnet or prevent access to network resources? Subnetting wouldn't really solve your issue unless you're talking about network traffic going between departments. If you're talking about access to resources, then you have to do something better like a client-server setup. What do you have set up now?
Home-based routers are not designed for what you're trying to do. They deal with no more than two networks.... and the second is the private network whenever you have that feature on. You could build or buy a multiple interface router.
Home-based routers are not designed for what you're trying to do. They deal with no more than two networks.... and the second is the private network whenever you have that feature on. You could build or buy a multiple interface router.
Actually, you may get into a weird NATing issue. Those routers by design NAT everything coming into their WAN port. For example if you want to ping across this labrynth of routers, you won't be able to. There will be other issues, which I haven't thought about just yet.
You are better off buying something bigger than a 8 port switch to use.
Regards,
You are better off buying something bigger than a 8 port switch to use.
Regards,
ASKER
Thanks for all the comments,
Access to specific resources, i know this is not the way but now let's assume all i want is for each department not to see each other.
Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26? <-- sorry for this basic question
I am thinking using a home-based router to separate each department. i.e each department having a router and doing NAT. Departments which shud see each other using addresses from the same subnet. Possible?
Or what other recommendations is there? Thanks.
Access to specific resources, i know this is not the way but now let's assume all i want is for each department not to see each other.
Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26? <-- sorry for this basic question
I am thinking using a home-based router to separate each department. i.e each department having a router and doing NAT. Departments which shud see each other using addresses from the same subnet. Possible?
Or what other recommendations is there? Thanks.
You might as well just have one router connected to your internet connection which does NAT and a series of switches.
Actually, you wanted control over traffic flow, didn't you? You'll run into the nightmare of having to configure the firewall on each and every one of the routers if you try to restrict traffic for each department. A multiple interface router would actually dodge the problem of having so many routers to deal with.
If you have ALL of the routers doing NAT, you'd run into major communication issues. Departments would only be able to see the "public" IP of another department, and therefore would not see that deparment's computers without a ton of port forwarding, but even that would get screwy.
If anything, you might as well either managed switches or the minimum number of firewalls, in combination with a multiple-interface router. You'd otherwise cause yourself all sorts of unnecessary headaches because you're trying something that just won't work, even though the equipment might be cheaper.
Look into switches and better routers. Once you do that, you'll be thanking us for helping you avoid pain that you don't need to suffer.
Actually, you wanted control over traffic flow, didn't you? You'll run into the nightmare of having to configure the firewall on each and every one of the routers if you try to restrict traffic for each department. A multiple interface router would actually dodge the problem of having so many routers to deal with.
If you have ALL of the routers doing NAT, you'd run into major communication issues. Departments would only be able to see the "public" IP of another department, and therefore would not see that deparment's computers without a ton of port forwarding, but even that would get screwy.
If anything, you might as well either managed switches or the minimum number of firewalls, in combination with a multiple-interface router. You'd otherwise cause yourself all sorts of unnecessary headaches because you're trying something that just won't work, even though the equipment might be cheaper.
Look into switches and better routers. Once you do that, you'll be thanking us for helping you avoid pain that you don't need to suffer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi thanks all for the advice,
With regards to my question,
>>Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26? <-- sorry for this basic question
What is the answer?
With regards to my question,
>>Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26? <-- sorry for this basic question
What is the answer?
You'd have to have the subnet defined somewhere, which would be on a multiple interface router. Home routers won't work for that purpose.
There would be a way you could technically try to pull it off, but it's honestly more hassle than it's worth. But based on the way you've described everything, it wouldn't work at all.
There would be a way you could technically try to pull it off, but it's honestly more hassle than it's worth. But based on the way you've described everything, it wouldn't work at all.
ASKER
Questions:
1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
Rgds
1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
Rgds
Using the NATed routers, you will only be able to ping ip addresses of any peer device on the lan side or above it on the heirarchy
Internet
|
|
router A-----------
| | |
| | |
PC a PC b |
Router B -------------------------- ---------- -------
| | | |
| | | |
PC c PC d | |
Router C Router D
| | | |
| | | |
PC e PC f PC g PC h
Assuming ICMP traffic is permitted
PC h or g can ping PC h, g, c, d, a, b and outside router interface d, c , b, a and cannot ping PC e & f
PC c or d can ping PC c, d, a, b and outside router interface c, d, b, a, and cannot ping PC e, f, g, & h
PC A or B can ping PC a & b and outside router interface a & b and cannot ping PC c, d, e, f, g, h
The reason for this is using these SOHO routers, because of NATing, the devices on the LAN side is sharing the WAN side IP address so if we looked at PC C's peers we only see PC D, router C and D and nothing else below it. PC C can touch everything above it assuming that they too are not hiding behind a NATed router. So per the devices, whatever cannot be seen ro touched by a device, cannot be used by that particular device. So if you want everyone to print off the same printer without any serious modifications, you may want to place it under router A.
Be advised that using this type of topology in combination with NATed routers can produce some really funky results.
Your safest and cheapest option is just hang a layer 2 switch off your internet facing routers and call it even. Otherwise, I do suggest the NETGEAR FSM7328S ProSafe 24-Port L3 Managed Stackable Switch $370 or equivalent as the next safest option.
In closing I agree with masnrock in regards to your described network ..."it's honestly more hassle than it's worth".
Regards,
Internet
|
|
router A-----------
| | |
| | |
PC a PC b |
Router B --------------------------
| | | |
| | | |
PC c PC d | |
Router C Router D
| | | |
| | | |
PC e PC f PC g PC h
Assuming ICMP traffic is permitted
PC h or g can ping PC h, g, c, d, a, b and outside router interface d, c , b, a and cannot ping PC e & f
PC c or d can ping PC c, d, a, b and outside router interface c, d, b, a, and cannot ping PC e, f, g, & h
PC A or B can ping PC a & b and outside router interface a & b and cannot ping PC c, d, e, f, g, h
The reason for this is using these SOHO routers, because of NATing, the devices on the LAN side is sharing the WAN side IP address so if we looked at PC C's peers we only see PC D, router C and D and nothing else below it. PC C can touch everything above it assuming that they too are not hiding behind a NATed router. So per the devices, whatever cannot be seen ro touched by a device, cannot be used by that particular device. So if you want everyone to print off the same printer without any serious modifications, you may want to place it under router A.
Be advised that using this type of topology in combination with NATed routers can produce some really funky results.
Your safest and cheapest option is just hang a layer 2 switch off your internet facing routers and call it even. Otherwise, I do suggest the NETGEAR FSM7328S ProSafe 24-Port L3 Managed Stackable Switch $370 or equivalent as the next safest option.
In closing I agree with masnrock in regards to your described network ..."it's honestly more hassle than it's worth".
Regards,
>1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
No, CISCO-wise (and I'm certain NO everyone-else-wise) if no networks are defined, you can not traverse your topology to that device on that subnetwork.
>2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
It means that your MS AD server is now taking on the extra role of routing; it has its hands full with maintaining the AD (database) and DNS services and any other services you may have installed there. Novell will have the same issues. I am however uncertain with the sum of all services on either platform, which will be doing the heavier work load. I am unaware of Netware being able to do routing of packets.
But the general idea will be you don't want a situation were the server is handling heavy duty routing and heavy duty server work; it implies a potential for either a lot of lost data packets OR lost or damaged server data.
Regards
No, CISCO-wise (and I'm certain NO everyone-else-wise) if no networks are defined, you can not traverse your topology to that device on that subnetwork.
>2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
It means that your MS AD server is now taking on the extra role of routing; it has its hands full with maintaining the AD (database) and DNS services and any other services you may have installed there. Novell will have the same issues. I am however uncertain with the sum of all services on either platform, which will be doing the heavier work load. I am unaware of Netware being able to do routing of packets.
But the general idea will be you don't want a situation were the server is handling heavy duty routing and heavy duty server work; it implies a potential for either a lot of lost data packets OR lost or damaged server data.
Regards
hope it helps,
bbao