• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

How do I create isolated networks in the same office

A client of mine is moving offices and merging with another department. I need to put them on the same network but isolate network traffice between the departments.

In summary this is the setup.

There will be 1 Internet connection that is protected by a watchguard Firebox. All departments will use this link. There is another link that goes to a datacentre through a fibre link (the datacentre is in the same building).

There are 10 workstations and 3 servers that are housed inside the network that also need to talk to the datacentre.

There are another 14 workstations that are not to have any access to the above machines or datacentre.

As well as this they have an exchange server and a file server that all machines need to have access to this.

I think setting up 2 VLAN's is the best way to separate the network and have the FS/Exchange server as members of both VLAN's.
It has been a long time since I setup a VLAN and would appreciate some help in coming up with a solution to solve this problem.
Also can you recommend the best switches to use.

  • 3
  • 2
  • 2
1 Solution
Fred MarshallCommented:
Subject to a lot of the details, here is a very simple way to split the departments and, yet, connect to the internet.  Adding a server at the top level may work.

Internet access point - a LAN in your global network.  Let's say this is
Connect two NATting routers WAN side to this LAN.

Let's say the two added routers LAN subnets are and 192.168.3 0 respectively.

Each router's LAN will serve a department.
No computer in one department can reach past the other department's router to the computers on the other side.

All computers will be able to "see" any computers (servers) on the global LAN but not vice versa.  So, requests to these computers may be responded to while the servers can't initiate access to the departments.  I'm not sure this will work for everything you want to do but it's a start and it's very inexpensive and easy to set up.
Usially VLAN's server the best.
You will need "managed switch" .
It will allow all stuff been on same subnet, been invisible to each other , but still share "shared resources" i.e. servers, internet access, and so on.
You should avoid using 192.168.x.x - this is for homy network . On larger network , beside giving you strange problem, it also limiting you by IP's.
VLAN info you can obtain from cisco.com by searching "vlan topology" - there is a lot of diagram example  and scenarious to use, as well on google.
Fred MarshallCommented:
You have to use *some* private IP address range.
As you know, these are (courtesy Wikipedia):

IANA Reserved Private Network Ranges
24-bit Block (/8 prefix, 1 x A) -  Mask:
Addresses: 16,777,216

20-bit Block (/12 prefix, 16 x B) - Mask:
Addresses: 1,048,576

16-bit Block (/16 prefix, 256 x C) -  Mask: Addresses: 65,536

But, you have very few computers to deal with so a 24-bit (or 8-bit block for addresses) subnet of 256 Addresses seems OK for you.  There are any number to choose from....  There is nothing "special" about any of them.  Why change from the router's defaults unless you have to?
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

htyu1Author Commented:
Actually the way I was thinking of solving it is as follows

All machines on the same subnet, say

Switch/s divided into VLAN1 and VLAN 2.
the shared servers and internet path to be members of both VLANs, as such assessible to all hosts and the protected machines and datacentre link to be on the other VLAN.

Is this feasible?
shared servers and internet path to be members of both VLANs...- those ports will configured as "trunk"
Other ports - VLAN1 VLAN2 according to their group.
I will never understand people using 192.168.x.x on production, it is ment to be use for home network.
It is more beneficiar to switch IP to for example, use "logical " blocks  , and separations with VLAN's. - office - guests - contractors - VPN users -  remote branch
 and so on.........in this case you have 65K adresses available to you.
This way much more easy meanage securty, and will make live easier too.
htyu1Author Commented:
Thanks dkarpekin

So if I tag the shared servers as trunk, and I put them in the 'office' ip range, using your example range, will the 'contractors' be able to communicate with them?
Yes, but they will not communicate other VLAN.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now