Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Switch with vlan how to separate accounting from non accounting

Posted on 2011-03-25
3
Medium Priority
?
371 Views
Last Modified: 2012-05-11
I am new to vlans but my smartswitch supports vlans.  I have a few pcs that are accounting related.  I want the accounting users to be able to connect with each other and the rest of the network but I want all other users not to be able to connect to accounting pcs.  The reason I need the accounting users to be able to connect to the other users because I have shared network printers that they use but i don't want the non accounting users to connect to accounting. The non accounting users need to be able to connect to the shared printers as well.
0
Comment
Question by:FASTECHS
3 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 668 total points
ID: 35213549
You could create three vlans: accounting, non-accounting and printers. That way you can make sure that both can reach the printers but not each other.
0
 
LVL 2

Assisted Solution

by:leetpriest
leetpriest earned 668 total points
ID: 35215150
Are the printers shared off of a server? Or are they shared from the non-accounting users?
0
 
LVL 3

Accepted Solution

by:
FWeston earned 664 total points
ID: 35216620
In order to do this, your switch will need to be a layer 3 switch (capable of routing between VLANs), or else you will need some other device such as a router or firewall that does the routing for you.

Essentially what you would do is create an accounting vlan (vlan 50) and a non-accounting vlan (vlan 100).  On the switch, assign IP addresses to each VLAN.  To keep it simple, lets say vlan 50 uses 192.168.50.124 and vlan 100 is 192.168.100.1/24.  Now enable IP routing on the switch.

At this point, PCs on VLAN 50 should be able to talk to PCs on VLAN 100 and vice versa.  Now, add access lists to deny the traffic you don't want to allow.  You'll have to look at the documentation for your switch to find the syntax for configuring ACLs.

Keep in mind that while a firewall will do stateful inspection, most switches do not.

What this means is if you add an ACL that denies traffic from vlan 100 to vlan 50, that will allow traffic from vlan 50 to get to vlan 100, but it won't let it get back.  So if you pinged a PC on vlan 100 from vlan 50, the ping traffic would reach it's destination, but the switch would block the reply traffic.

If you use a firewall, most of them are smart enough to dynamically inspect the traffic and permit the replys even though there is an ACL that would block that traffic by default.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question