How do I create isolated networks in the same office

Posted on 2008-11-16
Last Modified: 2012-05-05
A client of mine is moving offices and merging with another department. I need to put them on the same network but isolate network traffice between the departments.

In summary this is the setup.

There will be 1 Internet connection that is protected by a watchguard Firebox. All departments will use this link. There is another link that goes to a datacentre through a fibre link (the datacentre is in the same building).

There are 10 workstations and 3 servers that are housed inside the network that also need to talk to the datacentre.

There are another 14 workstations that are not to have any access to the above machines or datacentre.

As well as this they have an exchange server and a file server that all machines need to have access to this.

I think setting up 2 VLAN's is the best way to separate the network and have the FS/Exchange server as members of both VLAN's.
It has been a long time since I setup a VLAN and would appreciate some help in coming up with a solution to solve this problem.
Also can you recommend the best switches to use.

Question by:htyu1
    LVL 25

    Expert Comment

    by:Fred Marshall
    Subject to a lot of the details, here is a very simple way to split the departments and, yet, connect to the internet.  Adding a server at the top level may work.

    Internet access point - a LAN in your global network.  Let's say this is
    Connect two NATting routers WAN side to this LAN.

    Let's say the two added routers LAN subnets are and 192.168.3 0 respectively.

    Each router's LAN will serve a department.
    No computer in one department can reach past the other department's router to the computers on the other side.

    All computers will be able to "see" any computers (servers) on the global LAN but not vice versa.  So, requests to these computers may be responded to while the servers can't initiate access to the departments.  I'm not sure this will work for everything you want to do but it's a start and it's very inexpensive and easy to set up.
    LVL 7

    Expert Comment

    Usially VLAN's server the best.
    You will need "managed switch" .
    It will allow all stuff been on same subnet, been invisible to each other , but still share "shared resources" i.e. servers, internet access, and so on.
    You should avoid using 192.168.x.x - this is for homy network . On larger network , beside giving you strange problem, it also limiting you by IP's.
    VLAN info you can obtain from by searching "vlan topology" - there is a lot of diagram example  and scenarious to use, as well on google.
    LVL 25

    Expert Comment

    by:Fred Marshall
    You have to use *some* private IP address range.
    As you know, these are (courtesy Wikipedia):

    IANA Reserved Private Network Ranges
    24-bit Block (/8 prefix, 1 x A) -  Mask:
    Addresses: 16,777,216

    20-bit Block (/12 prefix, 16 x B) - Mask:
    Addresses: 1,048,576

    16-bit Block (/16 prefix, 256 x C) -  Mask: Addresses: 65,536

    But, you have very few computers to deal with so a 24-bit (or 8-bit block for addresses) subnet of 256 Addresses seems OK for you.  There are any number to choose from....  There is nothing "special" about any of them.  Why change from the router's defaults unless you have to?

    Author Comment

    Actually the way I was thinking of solving it is as follows

    All machines on the same subnet, say

    Switch/s divided into VLAN1 and VLAN 2.
    the shared servers and internet path to be members of both VLANs, as such assessible to all hosts and the protected machines and datacentre link to be on the other VLAN.

    Is this feasible?
    LVL 7

    Accepted Solution

    shared servers and internet path to be members of both VLANs...- those ports will configured as "trunk"
    Other ports - VLAN1 VLAN2 according to their group.
    I will never understand people using 192.168.x.x on production, it is ment to be use for home network.
    It is more beneficiar to switch IP to for example, use "logical " blocks  , and separations with VLAN's. - office - guests - contractors - VPN users -  remote branch
     and so this case you have 65K adresses available to you.
    This way much more easy meanage securty, and will make live easier too.

    Author Comment

    Thanks dkarpekin

    So if I tag the shared servers as trunk, and I put them in the 'office' ip range, using your example range, will the 'contractors' be able to communicate with them?
    LVL 7

    Expert Comment

    Yes, but they will not communicate other VLAN.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now