Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Using unmanaged switches to segment network, what problems?

Posted on 2012-03-15
11
Medium Priority
?
776 Views
Last Modified: 2012-03-30
I have 15 PCs and 3 printers going to a 24 port unmanaged switch.  This switch is connected to router with 1 "internet" port and 4 Lan ports.  The router internet port is connected to the cable modem and Lan port #1 from the router is connected to a port on the unmanaged switch.  The router also acts as the DHCP server.  Everything works fine, have internet access on all the PCs and everyone can see everyone elses PC on the network - which is the problem.  I want to segment this network into 4 segments.  I was thinking of just using 4 unmanaged switches, with one switch going to each of the LAN ports on the router.
1.) Will this work?  Will it "isolate" each of the segments so the users on segment 1 let's say can't see the users on segment 2, but all segments and all PCs still have access to the internet.
2.) Will there be a performance hit?
3.) Is there a better way?
Thanks!
0
Comment
Question by:JoeBoyd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:gmbaxter
ID: 37725289
What brand of router are you using?

Some small office routers and switches will do vlans, but as yours is unmanaged (switch) then i doubt that it will.

You could use 4 separate switches and set vlans on the router, or more cost effectively why don't you buy a vlan capable managed switch, and set vlans and access control lists on there?
0
 
LVL 5

Expert Comment

by:Voodoocrazy
ID: 37725333
The routers lan ports are probably a switch or at least in switch mode on most routers.  this will mean you are back to having one network again as it is now.

what router are you using?
0
 

Author Comment

by:JoeBoyd
ID: 37725339
Thanks for the quick response.  The router is a ZyXel NBG5715, the switch is unmanaged and is a DLink DES-1026G.  Oh, and by the way, the cable modem is actually more than that although I only use the cable modem part.  But it's a Comcast Business Gateway SMC-D3G.

I thought about the managed switch, in fact, I was looking at the DLink DGS-1210 series.  But, I understand that there would be problems with internet access for all the users or with IP assignments since my router is doing the DHCP?  Maybe I don't understand this then?

Thanks again!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:richardsk-octjamaica
ID: 37725471
You can try a approach of statically setting IP address on the same network as follows:

Example

in this example my router's network address running DHCP is 192.168.1.0

Segment 1
You have 15 machines, and you want to segment them into say three networks on the first segment of say three machines you will set the following IPs statically on the selected PCs:

192.168.3.10 / 255.255.255.0
192.168.3.11 / 255.255.255.0
192.168.3.12 / 255.255.255.0

Segment 2
On the second segment of say four PCs you will set the following IP address statically:

192.168.5.10 / 255.255.255.0
192.168.5.11 / 255.255.255.0
192.168.5.12 / 255.255.255.0
192.168.5.13 / 255.255.255.0

Segment 3
Now on the remaining eight PCs I would leave those on dynamic so as to let the router assign addresses automatically. Also

You have now segmented your network using a unmanaged switch that does not support VLANs, however please note that this method creates increased broadcast thus diminishing the performance throughput of your network, maybe not by a noticeable much, but it does affect its performance.
0
 
LVL 5

Expert Comment

by:Voodoocrazy
ID: 37725537
the above method would also segment the lans from the router.  you would therefore need a router between each segment and the switchports on the router as you cant route between lan ports on a ZyXel NBG5715
0
 

Author Comment

by:JoeBoyd
ID: 37725914
Maybe I should just go ahead and get a managed or smart switch then? I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?  Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 37728974
--> I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on

True.

--> and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?

Could be.  It depends on how advanced the it is.  

Think of a LAN segment as physical separation of a network.  To get a DHCP address a client computer sends out a MAC level broadcast.  MAC level broadcasts typically do NOT cross LAN segments.  So a broadcast may not reach your router.

In order for the broadcast to reach the router, you need to have a switch that supports "bootp" forwarding.  The switch would look at all broadcasts IP level and forward bootp datagrams to a destination you specify in the switch.  On Cisco switches this is called an ip helper address.

Now once the router gets this, the router needs to be VLAN aware so that it can assign a DHCP address to the appropriate IP subnet.

Each VLAN (LAN segment) needs to have its own IP subnet.

Now for the big question.  Why do you want to segment the LAN?  Eighteen totally devices is not that many.  We have 400 devices on the same IP subnet/VLAN segment and have NO performance problems.
0
 

Author Comment

by:JoeBoyd
ID: 37729729
Thanks giltjr!  Boy, this was a great explanation!! It helps alot.  I will check my router and the switch I was looking at getting to see if they have they features.

Your question, why do I want to segment?  Actually from technical or practical standpoint I don't need to, but, I want to keep everyone on the network from seeing everyone elses PCs.  You see this is a small office building that I own and I have about 8 different tenants, which are 8 different companies. Some companies have one PC and some have 3 or 4 PCs or devices.  One or two of them don't like the idea that when they look at all the devices on the network they can see everyone else's PCs or printers also and thus other companies can see their devices.  I know they can user password protected accounts but they just don't like the idea of "seeing" them.

Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37730403
Ah,  then it may be a bit more expensive, but I would look into getting either a L3 switch or a multi-port router that support VLAN'ing and some level of firewall support.

Creating VLAN's will not necessary prevent one tenant from finding/seeing another's computers.

You would need the ability to block traffic between VLAN's while still allowing traffic to/from the Internet.

Basically you would add another "router" between your tenant's and the router to the Internet.
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 37730437
If you have the budget I would suggest a basic Layer 3 (L3) switch to create the desired vlans. You can then assign switch ports into the desired vlans, depending on the company.

You can then use access control lists (ACLs) to prevent traffic from either vlan from "seeing" traffic in other vlans.

One interface on the switch would have an ip address and connect into your router, and you would set a default route on your switch to route all traffic outside of the local network to that IP.

ip route 0.0.0.0 0.0.0.0 192.168.10.254 255.255.255.252 (would be an example - allow all traffic to a set IP)
0
 

Author Closing Comment

by:JoeBoyd
ID: 37788625
Thanks for the detailed help.  Your answers not only help point me in the right direction but they also taught me a couple things about this topic which I am very weak in.  I do apologize for taking so long to get back to you.  Thanks also for continuing to answer my follow up questions.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question