Solved

vlan

Posted on 2006-07-11
14
443 Views
Last Modified: 2010-03-19
i have 5 different network

Servers
Admin
Wifi
POS
Guest

currently all networks can talk to each other
support i dont want guest network to see servers network, whats the best way to do this.
0
Comment
Question by:ammadeyy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 6

Accepted Solution

by:
DaMaestro earned 125 total points
ID: 17086251
Due to the chatty nature of MS Windows, the presence of any computer would broadcast the computer's workgroup or domain regardless to what the official network/workgroup is. You could turn off broadcasting on all the machines on the network by running net config server /hidden:yes on machines in the servers network or you could put the guest connections on a seperate subnet and broadcast range.
0
 

Author Comment

by:ammadeyy
ID: 17086289

Servers  192.168.1.1/255
Admin    192.168.2.1/255
Wifi       192.168.3.1/255
POS       192.168.4.1/255
Guest    192.168.5.1/255

thats how my ip ranges are
0
 

Author Comment

by:ammadeyy
ID: 17086323
email server ip is 192.168.1.3

guest ip 192.168.5.2

email server i add net config server /hidden:yes


still guest can ping to email server
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:ammadeyy
ID: 17086414

i have a HP 2626 switch, from that switch its connected to many unmanaged switches

if i create logical vlans from 2626, and have a router to do ACL will it work?
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 17086480
On server...  route add 192.168.5.0 MASK 255.255.255.0 192.168.1.222  (222=bogus address)

0
 

Author Comment

by:ammadeyy
ID: 17086615
suppose there is one client in guest network needs to access 192.168.1.3, how can i do that?
0
 
LVL 8

Assisted Solution

by:Danny_Larouche
Danny_Larouche earned 125 total points
ID: 17087687
You may add a second route for this specific client with mask 255.255.255.255.  But in your original post you told us that "servers network" have to be isolated from "guest network".

Take into consideration that such security measure is a basic one. Anybody with a good networking knowledge will be able to gain access to servers.  He just have to use this client`s IP or IP on other subnets.  

A per port VLAN architecture would be much more secure and flexible if combined with inter-vlan routing.
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 17087715
> if i create logical vlans from 2626, and have a router to do ACL will it work?
>

Yes, if your switch doesn't handle layer3, you may use a router and its ACL to set inter-vlan rules.

0
 
LVL 1

Assisted Solution

by:DJSara
DJSara earned 125 total points
ID: 17087965


As far as I could see from the spec of HP 2626 switch, it supports ACL.

What you could do is to have 5 vlan plus a IP address configured for each of the vlan. Once this is over you have cut down the collision domain and allowed intercommunication of vlans.

Now to prevent the entire vlan-vlan communication and to allow exception like communication between guest vlan and email server, you can have ACL configured in the order
<Allow communication from say Guest vlan to email server ip>
<block communiction between vlans>
<block all>

For more sercurity, you can use extended ACL, so that instead of allowing communication based on IP address, you could use port based decisions.

If the switch doesnot have ACL supported, you can go for 'filtering' capability of the switch.
0
 
LVL 2

Assisted Solution

by:djohnson104
djohnson104 earned 125 total points
ID: 17092578
I have the same setup with 6 vlans. On my layer 3 device i apply a ACL to the vlan interfaces that blocks netbios ports.
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 17093524
He will also need to set ACL to deny other protocols such as RDC, telnet, http/https(destinated to network devices), syslog, smnp,...
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question