Solved

Switch with vlan how to separate accounting from non accounting

Posted on 2011-03-25
3
362 Views
Last Modified: 2012-05-11
I am new to vlans but my smartswitch supports vlans.  I have a few pcs that are accounting related.  I want the accounting users to be able to connect with each other and the rest of the network but I want all other users not to be able to connect to accounting pcs.  The reason I need the accounting users to be able to connect to the other users because I have shared network printers that they use but i don't want the non accounting users to connect to accounting. The non accounting users need to be able to connect to the shared printers as well.
0
Comment
Question by:FASTECHS
3 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 167 total points
ID: 35213549
You could create three vlans: accounting, non-accounting and printers. That way you can make sure that both can reach the printers but not each other.
0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 167 total points
ID: 35215150
Are the printers shared off of a server? Or are they shared from the non-accounting users?
0
 
LVL 3

Accepted Solution

by:
FWeston earned 166 total points
ID: 35216620
In order to do this, your switch will need to be a layer 3 switch (capable of routing between VLANs), or else you will need some other device such as a router or firewall that does the routing for you.

Essentially what you would do is create an accounting vlan (vlan 50) and a non-accounting vlan (vlan 100).  On the switch, assign IP addresses to each VLAN.  To keep it simple, lets say vlan 50 uses 192.168.50.124 and vlan 100 is 192.168.100.1/24.  Now enable IP routing on the switch.

At this point, PCs on VLAN 50 should be able to talk to PCs on VLAN 100 and vice versa.  Now, add access lists to deny the traffic you don't want to allow.  You'll have to look at the documentation for your switch to find the syntax for configuring ACLs.

Keep in mind that while a firewall will do stateful inspection, most switches do not.

What this means is if you add an ACL that denies traffic from vlan 100 to vlan 50, that will allow traffic from vlan 50 to get to vlan 100, but it won't let it get back.  So if you pinged a PC on vlan 100 from vlan 50, the ping traffic would reach it's destination, but the switch would block the reply traffic.

If you use a firewall, most of them are smart enough to dynamically inspect the traffic and permit the replys even though there is an ACL that would block that traffic by default.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now