How do I create isolated networks in the same office

A client of mine is moving offices and merging with another department. I need to put them on the same network but isolate network traffice between the departments.

In summary this is the setup.

There will be 1 Internet connection that is protected by a watchguard Firebox. All departments will use this link. There is another link that goes to a datacentre through a fibre link (the datacentre is in the same building).

There are 10 workstations and 3 servers that are housed inside the network that also need to talk to the datacentre.

There are another 14 workstations that are not to have any access to the above machines or datacentre.

As well as this they have an exchange server and a file server that all machines need to have access to this.

I think setting up 2 VLAN's is the best way to separate the network and have the FS/Exchange server as members of both VLAN's.
It has been a long time since I setup a VLAN and would appreciate some help in coming up with a solution to solve this problem.
Also can you recommend the best switches to use.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Subject to a lot of the details, here is a very simple way to split the departments and, yet, connect to the internet.  Adding a server at the top level may work.

Internet access point - a LAN in your global network.  Let's say this is
Connect two NATting routers WAN side to this LAN.

Let's say the two added routers LAN subnets are and 192.168.3 0 respectively.

Each router's LAN will serve a department.
No computer in one department can reach past the other department's router to the computers on the other side.

All computers will be able to "see" any computers (servers) on the global LAN but not vice versa.  So, requests to these computers may be responded to while the servers can't initiate access to the departments.  I'm not sure this will work for everything you want to do but it's a start and it's very inexpensive and easy to set up.
Usially VLAN's server the best.
You will need "managed switch" .
It will allow all stuff been on same subnet, been invisible to each other , but still share "shared resources" i.e. servers, internet access, and so on.
You should avoid using 192.168.x.x - this is for homy network . On larger network , beside giving you strange problem, it also limiting you by IP's.
VLAN info you can obtain from by searching "vlan topology" - there is a lot of diagram example  and scenarious to use, as well on google.
Fred MarshallPrincipalCommented:
You have to use *some* private IP address range.
As you know, these are (courtesy Wikipedia):

IANA Reserved Private Network Ranges
24-bit Block (/8 prefix, 1 x A) -  Mask:
Addresses: 16,777,216

20-bit Block (/12 prefix, 16 x B) - Mask:
Addresses: 1,048,576

16-bit Block (/16 prefix, 256 x C) -  Mask: Addresses: 65,536

But, you have very few computers to deal with so a 24-bit (or 8-bit block for addresses) subnet of 256 Addresses seems OK for you.  There are any number to choose from....  There is nothing "special" about any of them.  Why change from the router's defaults unless you have to?
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

htyu1Author Commented:
Actually the way I was thinking of solving it is as follows

All machines on the same subnet, say

Switch/s divided into VLAN1 and VLAN 2.
the shared servers and internet path to be members of both VLANs, as such assessible to all hosts and the protected machines and datacentre link to be on the other VLAN.

Is this feasible?
shared servers and internet path to be members of both VLANs...- those ports will configured as "trunk"
Other ports - VLAN1 VLAN2 according to their group.
I will never understand people using 192.168.x.x on production, it is ment to be use for home network.
It is more beneficiar to switch IP to for example, use "logical " blocks  , and separations with VLAN's. - office - guests - contractors - VPN users -  remote branch
 and so this case you have 65K adresses available to you.
This way much more easy meanage securty, and will make live easier too.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
htyu1Author Commented:
Thanks dkarpekin

So if I tag the shared servers as trunk, and I put them in the 'office' ip range, using your example range, will the 'contractors' be able to communicate with them?
Yes, but they will not communicate other VLAN.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.