• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 549
  • Last Modified:

Separating departments

Hi,

I have a scenario where i need to segregate the various departments of my company so that i have control which department can see which and which cant see any department, who can use internet  etc. I am wondering if using routers can achieve this? If yes how? Else what could i do except using expensive domain controllers?

Rgds
0
pajiao
Asked:
pajiao
  • 5
  • 4
  • 3
  • +1
1 Solution
 
bbaoIT ConsultantCommented:
a router with multiple LAN interfaces or VLAN support can achieve this. actually, nowadays, you just need a L3 (Layer Three) network switch which supports VLANs and routing between the VLANs. How? briefly speaking, 1) enable the VLANs according to the departments, 2) enable VLAN routing, and 3) define the routing policy to contorl the traffic. the detailed operations depend on the specific switch you have.

hope it helps,
bbao
0
 
pajiaoAuthor Commented:
Hi,

What about those home based routers such as Linksys that comes with a 4port hub? Will these work well too?

Rgds
0
 
pajiaoAuthor Commented:
I am refering to using those linksys home routers with 4 port hub on each department
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
masnrockCommented:
Are you looking to subnet or prevent access to network resources? Subnetting wouldn't really solve your issue unless you're talking about network traffic going between departments. If you're talking about access to resources, then you have to do something better like a client-server setup. What do you have set up now?

Home-based routers are not designed for what you're trying to do. They deal with no more than two networks.... and the second is the private network whenever you have that feature on. You could build or buy a multiple interface router.
0
 
ECNSSMTCommented:
Actually, you may get into a weird NATing issue.  Those routers by design NAT everything coming into their WAN port.  For example if you want to ping across this labrynth of routers, you won't be able to.  There will be other issues, which I haven't thought about just yet.

You are better off buying something bigger than a 8 port switch to use.

Regards,
0
 
pajiaoAuthor Commented:
Thanks for all the comments,

Access to specific resources, i know this is not the way but now let's assume all i want is for each department not to see each other.

Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26?  <-- sorry for this basic question

I am thinking using a home-based router to separate each department. i.e each department having a router and doing NAT. Departments which shud see each other using addresses from the same subnet. Possible?

Or what other recommendations is there? Thanks.
0
 
masnrockCommented:
You might as well just have one router connected to your internet connection which does NAT and a series of switches.

Actually, you wanted control over traffic flow, didn't you? You'll run into the nightmare of having to configure the firewall on each and every one of the routers if you try to restrict traffic for each department. A multiple interface router would actually dodge the problem of having so many routers to deal with.

If you have ALL of the routers doing NAT, you'd run into major communication issues. Departments would only be able to see the "public" IP of another department, and therefore would not see that deparment's computers without a ton of port forwarding, but even that would get screwy.

If anything, you might as well either managed switches or the minimum number of firewalls, in combination with a multiple-interface router. You'd otherwise cause yourself all sorts of unnecessary headaches because you're trying something that just won't work, even though the equipment might be cheaper.

Look into switches and better routers. Once you do that, you'll be thanking us for helping you avoid pain that you don't need to suffer.
0
 
ECNSSMTCommented:
Hi pajiao,

A lot of the cheap SOHO equipment you see is a great quick solution for the home user and small business owners who may not have more than 4 users to network.  As a small business grows, they have a comparatively limited direction of what to add on to grow their business.  An incremental step would be to add on a 10/100MB 4, 8, or 16 port switch which would add on 2, 6, or 14 useable ports for a price ranging from $30 ~ $150.  Afterwards, it becomes a redesign of the network infrastructure to accomodate the size of the business (2 or more floors of users translating into establishing multiple network closets; a MDF and multiple IDFs), the increased bandwidth requirements, and security; especially in your stated requirements.  
At this point, it becomes a technology growth and business investment issue, where you determine the direction you want to take.  All of it with the pros and cons of those directions considered.
Quickly moving on, as growth plans can get very detailed and can contain a multitude of variations.  If cost wasn't a factor; I'd say consider investing in some Cisco equipement for your layer 2 and 3 needs; their IOS is full featured so you can tailor your network to what you need.  And that would include your security concerns.  That WOULD chokingly cost $$$$ though.
The more practical would be to look for equipment that meets the immediately needs of a 20 ~ 40 user single LAN topology.  Other companies like Netgear offer some interesting products
like in the 10/100MB range

NETGEAR FSM7328S ProSafe 24-Port L3 Managed Stackable Switch $370
http://www.cdw.com/shop/products/default.aspx?EDC=767898
and for growth
NETGEAR FS728TS ProSafe 24 Port 10/100 Stackable Smart Switch $230
http://www.cdw.com/shop/products/default.aspx?EDC=896244

or for something more up to date 1GB to support all of the newer 1GB NICs

NETGEAR GSM7324 ProSafe 24-port L3 Managed Gigabit Switch $1,540
http://www.cdw.com/shop/products/default.aspx?EDC=505150
and for growth
NETGEAR GS724T 24-port Gigabit Smart Switch $364
http://www.cdw.com/shop/products/default.aspx?EDC=625154

This would provide the VLANs for security. The L3 device would provide the (internal) routing to the VLANs you've created. If you company grows, then you can add on the respective L2 device to extend your network in all respects.  I do favor the 1GB devices as they'll have greater longevity than the 10/100MB stuff.

And other side benefits;
1. they are managed devices, so they at least are configurable from a webpage or CLI.
2. L3 devices; routing is internal you are not  using physical ports to connect to the switching.
3. ports are allocatable; so if a department needs one 2 ports; create a VLAN with only 2 ports; or any number; vs. buying a 4,8, 12, 16 port switch for them.
there are other benefits spec-ed out by the vendor, check out the approriate sites to get the specifics.

Note that there are other competing brands; you may want to look into them also; Linksys, D-link, Belkin.

Regards
0
 
pajiaoAuthor Commented:
Hi thanks all for the advice,

With regards to my question,

>>Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26?  <-- sorry for this basic question

What is the answer?
0
 
masnrockCommented:
You'd have to have the subnet defined somewhere, which would be on a multiple interface router. Home routers won't work for that purpose.

There would be a way you could technically try to pull it off, but it's honestly more hassle than it's worth. But based on the way you've described everything, it wouldn't work at all.
0
 
pajiaoAuthor Commented:
Questions:

1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?

Rgds
0
 
ECNSSMTCommented:
Using the NATed routers, you will only be able to ping ip addresses of any peer device on the lan side or above it on the heirarchy


         Internet
             |
             |
       router A-----------
        |       |              |
        |       |              |
     PC a   PC b           |
                          Router B -------------------------------------------
                          |         |          |                                         |
                          |         |          |                                         |
                       PC c    PC d        |                                         |
                                            Router C                            Router D
                                             |        |                            |          |
                                             |        |                            |          |
                                         PC e     PC f                       PC g      PC h

Assuming ICMP traffic is permitted
PC h or g  can ping PC h, g, c, d, a, b and outside router interface d, c , b, a and cannot ping PC e & f
PC c or d  can ping PC c, d, a, b and outside router interface c, d, b, a, and cannot ping PC e, f, g, & h
PC A or B can ping PC a & b and outside router interface a & b and cannot ping PC c, d, e, f, g, h

The reason for this is using these SOHO routers, because of NATing, the devices on the LAN side is sharing the WAN side IP address so if we looked at PC C's peers we only see PC D, router C and D and nothing else below it.  PC C can touch everything above it assuming that they too are not hiding behind a NATed router.  So per the devices, whatever cannot be seen ro touched by a device, cannot be used by that particular device.  So if you want everyone to print off the same printer without any serious modifications, you may want to place it under router A.  

Be advised that using this type of topology in combination with NATed routers can produce some really funky results.

Your safest and cheapest option is just hang a layer 2 switch off your internet facing routers and call it even.  Otherwise, I do suggest the NETGEAR FSM7328S ProSafe 24-Port L3 Managed Stackable Switch $370 or equivalent as the next safest option.

In closing I agree with masnrock in regards to your described network ..."it's honestly more hassle than it's worth".  

Regards,
0
 
ECNSSMTCommented:
>1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
No, CISCO-wise (and I'm certain NO everyone-else-wise) if no networks are defined, you can not traverse your topology to that device on that subnetwork.

>2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
It means that your MS AD server is now taking on the extra role of routing; it has its hands full with maintaining the AD (database) and DNS services and any other services you may have installed there.  Novell will have the same issues.  I am however uncertain with the sum of all services on either platform, which will be doing the heavier work load.  I am unaware of Netware being able to do routing of packets.
But the general idea will be you don't want a situation were the server is handling heavy duty routing and heavy duty server work; it implies a potential for either a lot of lost data packets OR lost or damaged server data.

Regards
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now