[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

Switch with vlan how to separate accounting from non accounting

I am new to vlans but my smartswitch supports vlans.  I have a few pcs that are accounting related.  I want the accounting users to be able to connect with each other and the rest of the network but I want all other users not to be able to connect to accounting pcs.  The reason I need the accounting users to be able to connect to the other users because I have shared network printers that they use but i don't want the non accounting users to connect to accounting. The non accounting users need to be able to connect to the shared printers as well.
0
FASTECHS
Asked:
FASTECHS
3 Solutions
 
Ernie BeekExpertCommented:
You could create three vlans: accounting, non-accounting and printers. That way you can make sure that both can reach the printers but not each other.
0
 
leetpriestCommented:
Are the printers shared off of a server? Or are they shared from the non-accounting users?
0
 
FWestonCommented:
In order to do this, your switch will need to be a layer 3 switch (capable of routing between VLANs), or else you will need some other device such as a router or firewall that does the routing for you.

Essentially what you would do is create an accounting vlan (vlan 50) and a non-accounting vlan (vlan 100).  On the switch, assign IP addresses to each VLAN.  To keep it simple, lets say vlan 50 uses 192.168.50.124 and vlan 100 is 192.168.100.1/24.  Now enable IP routing on the switch.

At this point, PCs on VLAN 50 should be able to talk to PCs on VLAN 100 and vice versa.  Now, add access lists to deny the traffic you don't want to allow.  You'll have to look at the documentation for your switch to find the syntax for configuring ACLs.

Keep in mind that while a firewall will do stateful inspection, most switches do not.

What this means is if you add an ACL that denies traffic from vlan 100 to vlan 50, that will allow traffic from vlan 50 to get to vlan 100, but it won't let it get back.  So if you pinged a PC on vlan 100 from vlan 50, the ping traffic would reach it's destination, but the switch would block the reply traffic.

If you use a firewall, most of them are smart enough to dynamically inspect the traffic and permit the replys even though there is an ACL that would block that traffic by default.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now