Using unmanaged switches to segment network, what problems?

Posted on 2012-03-15
Medium Priority
Last Modified: 2012-03-30
I have 15 PCs and 3 printers going to a 24 port unmanaged switch.  This switch is connected to router with 1 "internet" port and 4 Lan ports.  The router internet port is connected to the cable modem and Lan port #1 from the router is connected to a port on the unmanaged switch.  The router also acts as the DHCP server.  Everything works fine, have internet access on all the PCs and everyone can see everyone elses PC on the network - which is the problem.  I want to segment this network into 4 segments.  I was thinking of just using 4 unmanaged switches, with one switch going to each of the LAN ports on the router.
1.) Will this work?  Will it "isolate" each of the segments so the users on segment 1 let's say can't see the users on segment 2, but all segments and all PCs still have access to the internet.
2.) Will there be a performance hit?
3.) Is there a better way?
Question by:JoeBoyd
  • 4
  • 2
  • 2
  • +2
LVL 11

Expert Comment

ID: 37725289
What brand of router are you using?

Some small office routers and switches will do vlans, but as yours is unmanaged (switch) then i doubt that it will.

You could use 4 separate switches and set vlans on the router, or more cost effectively why don't you buy a vlan capable managed switch, and set vlans and access control lists on there?

Expert Comment

ID: 37725333
The routers lan ports are probably a switch or at least in switch mode on most routers.  this will mean you are back to having one network again as it is now.

what router are you using?

Author Comment

ID: 37725339
Thanks for the quick response.  The router is a ZyXel NBG5715, the switch is unmanaged and is a DLink DES-1026G.  Oh, and by the way, the cable modem is actually more than that although I only use the cable modem part.  But it's a Comcast Business Gateway SMC-D3G.

I thought about the managed switch, in fact, I was looking at the DLink DGS-1210 series.  But, I understand that there would be problems with internet access for all the users or with IP assignments since my router is doing the DHCP?  Maybe I don't understand this then?

Thanks again!
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.


Expert Comment

ID: 37725471
You can try a approach of statically setting IP address on the same network as follows:


in this example my router's network address running DHCP is

Segment 1
You have 15 machines, and you want to segment them into say three networks on the first segment of say three machines you will set the following IPs statically on the selected PCs: / / /

Segment 2
On the second segment of say four PCs you will set the following IP address statically: / / / /

Segment 3
Now on the remaining eight PCs I would leave those on dynamic so as to let the router assign addresses automatically. Also

You have now segmented your network using a unmanaged switch that does not support VLANs, however please note that this method creates increased broadcast thus diminishing the performance throughput of your network, maybe not by a noticeable much, but it does affect its performance.

Expert Comment

ID: 37725537
the above method would also segment the lans from the router.  you would therefore need a router between each segment and the switchports on the router as you cant route between lan ports on a ZyXel NBG5715

Author Comment

ID: 37725914
Maybe I should just go ahead and get a managed or smart switch then? I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?  Thanks
LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 37728974
--> I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on


--> and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?

Could be.  It depends on how advanced the it is.  

Think of a LAN segment as physical separation of a network.  To get a DHCP address a client computer sends out a MAC level broadcast.  MAC level broadcasts typically do NOT cross LAN segments.  So a broadcast may not reach your router.

In order for the broadcast to reach the router, you need to have a switch that supports "bootp" forwarding.  The switch would look at all broadcasts IP level and forward bootp datagrams to a destination you specify in the switch.  On Cisco switches this is called an ip helper address.

Now once the router gets this, the router needs to be VLAN aware so that it can assign a DHCP address to the appropriate IP subnet.

Each VLAN (LAN segment) needs to have its own IP subnet.

Now for the big question.  Why do you want to segment the LAN?  Eighteen totally devices is not that many.  We have 400 devices on the same IP subnet/VLAN segment and have NO performance problems.

Author Comment

ID: 37729729
Thanks giltjr!  Boy, this was a great explanation!! It helps alot.  I will check my router and the switch I was looking at getting to see if they have they features.

Your question, why do I want to segment?  Actually from technical or practical standpoint I don't need to, but, I want to keep everyone on the network from seeing everyone elses PCs.  You see this is a small office building that I own and I have about 8 different tenants, which are 8 different companies. Some companies have one PC and some have 3 or 4 PCs or devices.  One or two of them don't like the idea that when they look at all the devices on the network they can see everyone else's PCs or printers also and thus other companies can see their devices.  I know they can user password protected accounts but they just don't like the idea of "seeing" them.

LVL 57

Expert Comment

ID: 37730403
Ah,  then it may be a bit more expensive, but I would look into getting either a L3 switch or a multi-port router that support VLAN'ing and some level of firewall support.

Creating VLAN's will not necessary prevent one tenant from finding/seeing another's computers.

You would need the ability to block traffic between VLAN's while still allowing traffic to/from the Internet.

Basically you would add another "router" between your tenant's and the router to the Internet.
LVL 11

Expert Comment

ID: 37730437
If you have the budget I would suggest a basic Layer 3 (L3) switch to create the desired vlans. You can then assign switch ports into the desired vlans, depending on the company.

You can then use access control lists (ACLs) to prevent traffic from either vlan from "seeing" traffic in other vlans.

One interface on the switch would have an ip address and connect into your router, and you would set a default route on your switch to route all traffic outside of the local network to that IP.

ip route (would be an example - allow all traffic to a set IP)

Author Closing Comment

ID: 37788625
Thanks for the detailed help.  Your answers not only help point me in the right direction but they also taught me a couple things about this topic which I am very weak in.  I do apologize for taking so long to get back to you.  Thanks also for continuing to answer my follow up questions.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question