Solved

Vlan setup

Posted on 2011-09-22
9
589 Views
Last Modified: 2012-05-12
I am doing some work on a clients network and was wondering if a VLAN would be a good option for me, I have not setup a VLAN since my days in school so thought I would try and get some input. Our goal is to have Internet connectivity to 10 different computers, 3 of those computer are not to see the other 7 and vice versa, they share one internet connection, I have multiple routers and a switch that supports VLAN, any suggestions on the best setup for this?
0
Comment
Question by:larsongross
9 Comments
 
LVL 11

Expert Comment

by:emilgas
ID: 36581886
Well you can have two VLANs, and depending on your switch you can set it up accordingly. What I mean by that is that if you have a layer 3 switch you can do the switching and ACLs on that and if you just have a regular layer 2 switch then all that will happen on your router.

A classic book example of this would be the "Router on a Stick" Method. Just google it and you'll get all the help you need. (Again this is if you don't have a layer 3 switch)
0
 
LVL 11

Accepted Solution

by:
packetguy earned 500 total points
ID: 36581906
This is a pretty standard application for VLANs. The key point to remember is that traffic can never move between VLANs without being routed through a layer-3 devices, such as an Ethernet-to-Ethernet router, or a layer-3 switch.

The design is straightforward. You create two separate IP subnets, such as 192.168.1.0/24 and 192.168.2.0/24, and configure two VLANs, for example VLAN1 and VLAN2. The way you connect these two VLANs to the Internet depends upon the capabilities of your firewall. Many modern firewalls have multiple ports that can each have a unique LAN subnet address. With this approach, you simply plug a switch port from VLAN1 into one firewall LAN port and a switch port from VLAN2 into the other firewall LAN port, configuring the first port with an IP address of 192.168.1.1 and the second with 192.168.2.1; those two addresses are now the gateway addresses for their respective subnets. You would also generally set up two separate DHCP scopes, one for each subnet.

As long as the firewall has  rule prohibiting traffic between the two subnets, they won't be able to see each other.

An alternative architectures include using a VLAN-capable firewall, in which a single LAN port connects to a switch port using tagged packets. All other switch ports would remain untagged.

And if your firewall has no available LAN ports and is not VLAN capable, you can use an "core" Ethernet-to-Ethernet LAN router as the gateway for both subnets, routing all outbound traffic to the firewall but prohibiting traffic between the VLANs using an access control list (ACL). The critical firewall requirement with this approach is that you need to create three IP subnets, with one dedicated to the path between the core router and the firewall, and the firewall must support static routes to redirect traffic for the other two subnets to the core router.

If you need equipment recommendations I can provide some. Depending on your bandwidth requirements, refurbished Cisco gear can be a great bargain -- top quality equipment at ten cents on the dollar.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36581939
Yes, I would use VLANs and VACLs to restrict traffic from traversing the VLANs.  The configuration of the VACL may be dependent on the hardware and software version. For the 3750, see the chapter on network security and ACLs.  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/swacl.html
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:larsongross
ID: 36582013
Ok great information, I was thinking of going with a NETGEAR ProSafe FS726T switch because of the cost, what router would be a good pair with this?
0
 
LVL 11

Expert Comment

by:packetguy
ID: 36582458
I would avoid the low-end "prosumer" switches in favor of either Cisco's newer line of business class swithes (e.g., the SG300 gigabit switch line starting at about $400 street price) or HP's Procurve offerings. You really want the rock-solid performance and time-tested IOS feature set of Cisco. Note that to get IOS on the SG300 gear you have to install the latest firmware.

The cool thing about Cisco gear is that you can get inexpensive Layer 3 switches -- essentially dang fast routers -- all in one unit. The Cisco SG300-20 20-port managed VLAN-capable gigabit switch for under $400 is an example, or the SG300-26 26-port for under $600. Install the latest firmware and you have genuine Cisco IOS layer 3 switches.

HP's V1910-24G 24-port GigE switch is also a Layer3 switch under $400, but you don't get the advantage of Cisco's better Web-based admin and Cisco's renowned IOS command line configuration and administration interface (for which there are millions of trained Cisco techs and tons and tons of training materials).

You'll spend a few bucks more on these enterprise-grade switches, but the core of your network will now be much more reliable and versatile.

0
 

Author Comment

by:larsongross
ID: 36583007
Cost is a factor here, so if I did not go with the Cisco or the ProCurves and did go with one of the cheaper layer 2 switches, what kind of router would I need to make this work? I am having a hard time understanding the DHCP aspect of the seperate LAN's.
0
 
LVL 11

Expert Comment

by:packetguy
ID: 36583713
A SonicWall TZ100 firewall is a high quality, easy to deploy business-class firewall that supports multiple subnets on separate LAN ports (I think it has four LAN ports, each individually addressable). It also support multiple DHCP scopes, so you can have it issue appropriate DHCP leases on each port. This will work with the Netgear switch, and all the rules are easily configurable via the SonicWall's web-based management console.
0
 
LVL 11

Expert Comment

by:packetguy
ID: 36588928
In case it isn't clear, in this context a firewall also serves as a LAN router. The SonicWall, for example, is a firewall/router supporting routing between LAN ports. Not all firewalls permit this.

BTW, I just checked and the distributor site sonicguard.com has TZ 100s at a considerable discount. However, CDW also sells them, and various outfits on Amazon. When comparing firewall street prices for any brand, it's important to verify that you're comparing the same licensed features. For example, SonicWall has a feature pack called "totalsecure" that you pay extra for, that bundles various kinds of intrusion prevention features along with a hardware warranty. The low-end "prosumer" firewalls generally are a one-price-fits-all deal. But these low-end firewalls usually lack multiple LAN subnets, multiple DHCP scopes, and LAN routing capabilities that "business-class" devices have.
0
 

Author Closing Comment

by:larsongross
ID: 36905222
Would have liked some other reccomendations besides high end products, a lot of smaller buisnesses are struggling in this economy and having cost effective reccomendations would have helped greatly.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Protocol Security question 3 96
how to determine subnet mask? 11 40
Setup small office network 1 26
snmp v2 configuration on a switch 3 18
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question