Link to home
Start Free TrialLog in
Avatar of pajiao
pajiao

asked on

Separating departments

Hi,

I have a scenario where i need to segregate the various departments of my company so that i have control which department can see which and which cant see any department, who can use internet  etc. I am wondering if using routers can achieve this? If yes how? Else what could i do except using expensive domain controllers?

Rgds
Avatar of bbao
bbao
Flag of Australia image

a router with multiple LAN interfaces or VLAN support can achieve this. actually, nowadays, you just need a L3 (Layer Three) network switch which supports VLANs and routing between the VLANs. How? briefly speaking, 1) enable the VLANs according to the departments, 2) enable VLAN routing, and 3) define the routing policy to contorl the traffic. the detailed operations depend on the specific switch you have.

hope it helps,
bbao
Avatar of pajiao
pajiao

ASKER

Hi,

What about those home based routers such as Linksys that comes with a 4port hub? Will these work well too?

Rgds
Avatar of pajiao

ASKER

I am refering to using those linksys home routers with 4 port hub on each department
Are you looking to subnet or prevent access to network resources? Subnetting wouldn't really solve your issue unless you're talking about network traffic going between departments. If you're talking about access to resources, then you have to do something better like a client-server setup. What do you have set up now?

Home-based routers are not designed for what you're trying to do. They deal with no more than two networks.... and the second is the private network whenever you have that feature on. You could build or buy a multiple interface router.
Actually, you may get into a weird NATing issue.  Those routers by design NAT everything coming into their WAN port.  For example if you want to ping across this labrynth of routers, you won't be able to.  There will be other issues, which I haven't thought about just yet.

You are better off buying something bigger than a 8 port switch to use.

Regards,
Avatar of pajiao

ASKER

Thanks for all the comments,

Access to specific resources, i know this is not the way but now let's assume all i want is for each department not to see each other.

Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26?  <-- sorry for this basic question

I am thinking using a home-based router to separate each department. i.e each department having a router and doing NAT. Departments which shud see each other using addresses from the same subnet. Possible?

Or what other recommendations is there? Thanks.
You might as well just have one router connected to your internet connection which does NAT and a series of switches.

Actually, you wanted control over traffic flow, didn't you? You'll run into the nightmare of having to configure the firewall on each and every one of the routers if you try to restrict traffic for each department. A multiple interface router would actually dodge the problem of having so many routers to deal with.

If you have ALL of the routers doing NAT, you'd run into major communication issues. Departments would only be able to see the "public" IP of another department, and therefore would not see that deparment's computers without a ton of port forwarding, but even that would get screwy.

If anything, you might as well either managed switches or the minimum number of firewalls, in combination with a multiple-interface router. You'd otherwise cause yourself all sorts of unnecessary headaches because you're trying something that just won't work, even though the equipment might be cheaper.

Look into switches and better routers. Once you do that, you'll be thanking us for helping you avoid pain that you don't need to suffer.
ASKER CERTIFIED SOLUTION
Avatar of ECNSSMT
ECNSSMT

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pajiao

ASKER

Hi thanks all for the advice,

With regards to my question,

>>Question:
1) If the above scenario, would using subnets achieve it? That means wud let's say network 192.168.1.0/26 ping 192.168.1.64/26?  <-- sorry for this basic question

What is the answer?
You'd have to have the subnet defined somewhere, which would be on a multiple interface router. Home routers won't work for that purpose.

There would be a way you could technically try to pull it off, but it's honestly more hassle than it's worth. But based on the way you've described everything, it wouldn't work at all.
Avatar of pajiao

ASKER

Questions:

1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?

Rgds
Using the NATed routers, you will only be able to ping ip addresses of any peer device on the lan side or above it on the heirarchy


         Internet
             |
             |
       router A-----------
        |       |              |
        |       |              |
     PC a   PC b           |
                          Router B -------------------------------------------
                          |         |          |                                         |
                          |         |          |                                         |
                       PC c    PC d        |                                         |
                                            Router C                            Router D
                                             |        |                            |          |
                                             |        |                            |          |
                                         PC e     PC f                       PC g      PC h

Assuming ICMP traffic is permitted
PC h or g  can ping PC h, g, c, d, a, b and outside router interface d, c , b, a and cannot ping PC e & f
PC c or d  can ping PC c, d, a, b and outside router interface c, d, b, a, and cannot ping PC e, f, g, & h
PC A or B can ping PC a & b and outside router interface a & b and cannot ping PC c, d, e, f, g, h

The reason for this is using these SOHO routers, because of NATing, the devices on the LAN side is sharing the WAN side IP address so if we looked at PC C's peers we only see PC D, router C and D and nothing else below it.  PC C can touch everything above it assuming that they too are not hiding behind a NATed router.  So per the devices, whatever cannot be seen ro touched by a device, cannot be used by that particular device.  So if you want everyone to print off the same printer without any serious modifications, you may want to place it under router A.  

Be advised that using this type of topology in combination with NATed routers can produce some really funky results.

Your safest and cheapest option is just hang a layer 2 switch off your internet facing routers and call it even.  Otherwise, I do suggest the NETGEAR FSM7328S ProSafe 24-Port L3 Managed Stackable Switch $370 or equivalent as the next safest option.

In closing I agree with masnrock in regards to your described network ..."it's honestly more hassle than it's worth".  

Regards,
>1) Lets say subnet not defined at router. Wud a pc in 192.168.1.0/26 ping another in 192.168.1.64/26? (yes/no)
No, CISCO-wise (and I'm certain NO everyone-else-wise) if no networks are defined, you can not traverse your topology to that device on that subnetwork.

>2) Looks like using L3 switches wud be the possible solution. What is the comparison between having L3 switches and the possibility of using domain controllers such as AD and Novell in this case?
It means that your MS AD server is now taking on the extra role of routing; it has its hands full with maintaining the AD (database) and DNS services and any other services you may have installed there.  Novell will have the same issues.  I am however uncertain with the sum of all services on either platform, which will be doing the heavier work load.  I am unaware of Netware being able to do routing of packets.
But the general idea will be you don't want a situation were the server is handling heavy duty routing and heavy duty server work; it implies a potential for either a lot of lost data packets OR lost or damaged server data.

Regards