Solved

VLAN, segmenting networks with IP pass through

Posted on 2006-06-12
16
1,007 Views
Last Modified: 2008-02-01
I currently need to setup a segmented network where one network can use the internet normally but only one computer on the other network can use it.

I am thinking of getting a managed L2 switch and assigning 2 VLANs:  192.168.1.0/24 and 192.168.2.0/24

There is only one internet connection via DSL and the DSL router will assign IPs on the 192.168.1.0 subnet. I need the computer 192.168.2.10 to able to see the other computers on the 192.168.2.0 subnet AND be able to go out onto the internet.

How can i do this? At first I thought about using two IP addresses (one on each VLAN) on the 192.168.2.10 machine but I would rather not have to resort to that. Would I need a separate bridge?
0
Comment
Question by:dignified
  • 7
  • 5
  • 2
  • +2
16 Comments
 
LVL 2

Accepted Solution

by:
Psyco_666 earned 100 total points
ID: 16884339
You would be unable to do this with a layer 2 switch unless you bought a router with 2 ethernet interfaces and did a "router on a stick" setup.

In this setup you would have one router ethernet interface in 192.168.1.x and one in 192.168.2.x. You could then use Access lists and NAT to allow access from 192.168.2.10.

A better option may be to get hold of a Layer 3 switch and have 3 seperate Vlans, one for 192.168.1.x, one for 192.168.2.x and one for the router. Then, again thorugh access lists and NAT, you would have ultimate control over who has access to what.
0
 
LVL 27

Assisted Solution

by:pseudocyber
pseudocyber earned 100 total points
ID: 16884416
A router on a stick has one interface on both vlans - a tagged interface, or sub interfaces.

Dignified, the quickest, easiest, least expensive way would be to simply dual home the one pc, as you thought of.  Alternatively, you're going to need a router or a layer 3 switch to route between vlans as Psyco suggested.

You could also do it with a multi interface firewall - either an appliance such as a SonicWall or a Linux box setup as a firewall.
0
 

Author Comment

by:dignified
ID: 16884663
I was thinking of getting a L3 switch I found used for $150. I don't want to have to use Linux because I want things to be as easy to maintain as possible. I think it will be easier to learn how to use and reboot a device than figure out how I configured a linux box.

I'll look into sonicwall, can you recommend one that might work? otherwise I'll have to learn how to use a L3 router.
0
 
LVL 3

Expert Comment

by:papimichel
ID: 16884665
it would be more simple to do so with a firewall machine that'll limit the specific machine's outgoing packets to the internet.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16884752
A $150 layer 3 switch!?!?  What is it?  From Ebay?

Sonicwall:  http://www.sonicwall.com/products/pro2040.html

I agree with you about the Linux idea.  :)
0
 

Author Comment

by:dignified
ID: 16884775
craigslist, just down the street from me. It's this one, http://www.hp.com/rnd/products/switches/switch2524-2512/specs.htm The 2524. Actually now I'm not sure if it is is L2 or 3, maybe you guys can check on it for me please.


0
 

Author Comment

by:dignified
ID: 16884795
I'll also say that I don't necessarily want just 2 segments to the network. I can see there going up to 8.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16884803
That's a layer 2 switch only.

"Low-cost. Layer 2 managed stackable"
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:pseudocyber
ID: 16884829
Looks like the HP Procurve 2650 is Layer 3 capable - "Light layer 3 managed"
0
 

Author Comment

by:dignified
ID: 16884843
Woops, you're right, I'll have to see what I can find for the best deal. I see this L3 switch http://www.newegg.com/Product/Product.asp?Item=N82E16833122078 Not too badly priced and its new.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16884868
"light" layer 3 probably means that it will route, but you can't put access-list rules in to restrict/allow specific hosts.
If you want the restrictions and the vlans then you may have to look at something more capable.
Take a look at Adtran 1524 series router/switch/firewall combo. Relative to a Cisco solution, these are pretty cheap.
0
 

Author Comment

by:dignified
ID: 16884904
I will also say, that I plan another VLAN which will run a VPN. This managed switch will go in a central warehouse and I have 6 stores around town. Each building has its own business dsl connection with 5 static IPs. I have a server in warehouse that the satellite stores need to be able to talk to. So I want a VPN linking all of these stores. Looks like the sonicwall will do this but it is really expensive. hmmm. I don't have this much money to spend, was hoping to find something for $400. I might have to end up using Linux afterall.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16884912
Yeah, with your added specs/plans - you really need a firewall.  You're going to have to pay one way or another - time or money.

You can have it good, cheap, or fast.  Pick 2.
0
 

Author Comment

by:dignified
ID: 16884943
This isn't actually my business, I'm contracting various computer work and my current job is to setup his large medium sized network. I have messed with firewall stuff in linux before, but not for a while. Anyone ever use ipcop.org? One thing I'd like to avoid is having to come back to reboot the linux box for free.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16885090
Take a look at the Linksys RV042 for the warehouse VPN, just plug it into one of the VLAN's.
I'm assuming that this warehouse will also have the VLAN's?

Agree with pseudocyber. You can't have everything you want without paying for it one way or another. Either you end up working many hours for free or you spend a little money and do it right the first time.
0
 

Author Comment

by:dignified
ID: 16885123
For the VPN I will first try Sveasoft, a third party firmware for the WRT54g. I will try to convince my client to get one of those Adtran 1524 routers. Anyone else have any suggestions as to a full-featured L3 switch?
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLAN question 7 45
Replacing a switch in a 3com 5500 switch stack 2 45
cisco nexus experiance 2 30
ASR920 switching 2 13
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now