Two Networks on One Switch

We have run out of space in one of our racks in our offsite location and are planning to set up another rack and have a quick networking question.  We were wondering if there are managed switches out their that allow two networks on one switch.  I understand this can be done with VLANs but were hoping to stay away from that being that none of us have dove in that territory yet but will learn if it is necessary.  

Perhaps there is a way to designate a certain number of ports in the management console to one network and another group of ports to another?

Basically we are planning to buy a ProCurve 2848 (48 port) managed switch and was hoping it could do the job.  

http://www.hp.com/rnd/products/switches/HP_ProCurve_Switch_2800_Series/overview.htm
chrisjmccrumAsked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
If security is of the utmost concern, you can simply use two switches (non managed even) for each network.  VLAN's are software based so they are prone to bugs, coding errors, etc. which is why using two physical switches is the strongest form of separation.
0
 
JFrederick29Commented:
Sure, the switch will work.  You can have multiple IP subnets residing on the same VLAN.  The switch doesn't care.  However, you'll need to use VLAN's if you want "physical" (well virtual) separation of the two networks/subnets.
0
 
chrisjmccrumAuthor Commented:
I see what your saying but perhaps I worded my question poorly.  We would like to ultimately have 1 wire from our Sonicwall Router/Firewall go into port 1 on the ProCurve and have port 2-24 be our 10.160.0.1 network. Then a second wire would be run to port 25 on the ProCurve and have port 26-48 be our DMZ network 10.190.0.1.

We would like to achieve this without using VLANs and I'm pretty sure I've seen it done with some switches but I'm not sure how.  
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Don S.Connect With a Mentor Commented:
Don't be scared of Vlans.  They are fairly simple to implement on the Procurves (and most other switches)  You simply set up an additional vlan (Vlan2) and set the ports you want seperated to be untagged on Vlan2.  those ports are then essentially on a seperate switch from the ports you did not change (which by default are untagged on the default Vlan which is vlan 1)  that's it.  Procurve even has a menu available in the switch to make it real easy.  you can set it up in about 2 minutes.
0
 
JFrederick29Commented:
Technically this can be done with one VLAN just the way you are planning but there are security risks with using one VLAN in this manner.  I would recommend using two VLAN's.
0
 
ccomleyConnect With a Mentor Commented:
VLANs is what you need but yo ucan stick to the simple method.

Find a switch which will give you PORT BASED VLAN. This is SIMPLE to set up, either done with little switches on the back or by web-browsing into the switch. Either way, for each port, you chose Lan 1 or Lan 2, etc.

So just set Ports 1-8 to be Lan 1 and ports 9-16 to be Lan 2 and that's IT.

You *can* set a "trunk" port that is visible to both but in this case it sounds like you don't want to.

The other advantage you may find with such a switch is that

- you can use the web admin page to enable or disable one or more ports, remotely if you want
- you can get traffic stats on each port

Typical example, Zyxel Dimension 2xxx series, e.g. ES2024 - 24 ports, Port-Vlan-able, remote controllable, etc. via web GUI.  

(Warning - the one thing to watch out for, any such device will have a default Ip address of its own, make sure you set this to something sane before attaching it to your lan.)
0
 
chrisjmccrumAuthor Commented:
Thank you all for your responses thus far.  It's been very helpful and are realizing how easy this can be.    I've confronted our Security Specialist and he has major concerns regarding the security in general of VLANs.  We are SAS70 compliant and he is worried because they asked us one time if are networks are physically split.  Like is it possible for a user on the 10.190.0.1 VLAN2 to spoof there address and end up on VLAN1 10.160.0.1?  

Is the traffic tagged at the packet level or is the port tagged?  I guess ultimately how is the security with VLANs?  Can you point me to a good article backing it up?  

Again thank you all for your help.
0
 
ccomleyCommented:
Footnote - PORT based VLAN cannot be spoofed because it's hard-coded on eac port of the switch which VLAN it is in.

Soft VLAN requires you to add a "tag" to each data packet saying "hey, I'm a packet on VLAN xxx", and the switch reacts to the tag - that's more powerful coz you can set the same VLAN up on multiple swithes and routers across the WAN, but you don't need it here.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.