Solved

Using unmanaged switches to segment network, what problems?

Posted on 2012-03-15
11
738 Views
Last Modified: 2012-03-30
I have 15 PCs and 3 printers going to a 24 port unmanaged switch.  This switch is connected to router with 1 "internet" port and 4 Lan ports.  The router internet port is connected to the cable modem and Lan port #1 from the router is connected to a port on the unmanaged switch.  The router also acts as the DHCP server.  Everything works fine, have internet access on all the PCs and everyone can see everyone elses PC on the network - which is the problem.  I want to segment this network into 4 segments.  I was thinking of just using 4 unmanaged switches, with one switch going to each of the LAN ports on the router.
1.) Will this work?  Will it "isolate" each of the segments so the users on segment 1 let's say can't see the users on segment 2, but all segments and all PCs still have access to the internet.
2.) Will there be a performance hit?
3.) Is there a better way?
Thanks!
0
Comment
Question by:JoeBoyd
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:gmbaxter
ID: 37725289
What brand of router are you using?

Some small office routers and switches will do vlans, but as yours is unmanaged (switch) then i doubt that it will.

You could use 4 separate switches and set vlans on the router, or more cost effectively why don't you buy a vlan capable managed switch, and set vlans and access control lists on there?
0
 
LVL 5

Expert Comment

by:Voodoocrazy
ID: 37725333
The routers lan ports are probably a switch or at least in switch mode on most routers.  this will mean you are back to having one network again as it is now.

what router are you using?
0
 

Author Comment

by:JoeBoyd
ID: 37725339
Thanks for the quick response.  The router is a ZyXel NBG5715, the switch is unmanaged and is a DLink DES-1026G.  Oh, and by the way, the cable modem is actually more than that although I only use the cable modem part.  But it's a Comcast Business Gateway SMC-D3G.

I thought about the managed switch, in fact, I was looking at the DLink DGS-1210 series.  But, I understand that there would be problems with internet access for all the users or with IP assignments since my router is doing the DHCP?  Maybe I don't understand this then?

Thanks again!
0
 
LVL 3

Expert Comment

by:richardsk-octjamaica
ID: 37725471
You can try a approach of statically setting IP address on the same network as follows:

Example

in this example my router's network address running DHCP is 192.168.1.0

Segment 1
You have 15 machines, and you want to segment them into say three networks on the first segment of say three machines you will set the following IPs statically on the selected PCs:

192.168.3.10 / 255.255.255.0
192.168.3.11 / 255.255.255.0
192.168.3.12 / 255.255.255.0

Segment 2
On the second segment of say four PCs you will set the following IP address statically:

192.168.5.10 / 255.255.255.0
192.168.5.11 / 255.255.255.0
192.168.5.12 / 255.255.255.0
192.168.5.13 / 255.255.255.0

Segment 3
Now on the remaining eight PCs I would leave those on dynamic so as to let the router assign addresses automatically. Also

You have now segmented your network using a unmanaged switch that does not support VLANs, however please note that this method creates increased broadcast thus diminishing the performance throughput of your network, maybe not by a noticeable much, but it does affect its performance.
0
 
LVL 5

Expert Comment

by:Voodoocrazy
ID: 37725537
the above method would also segment the lans from the router.  you would therefore need a router between each segment and the switchports on the router as you cant route between lan ports on a ZyXel NBG5715
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:JoeBoyd
ID: 37725914
Maybe I should just go ahead and get a managed or smart switch then? I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?  Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37728974
--> I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on

True.

--> and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt?

Could be.  It depends on how advanced the it is.  

Think of a LAN segment as physical separation of a network.  To get a DHCP address a client computer sends out a MAC level broadcast.  MAC level broadcasts typically do NOT cross LAN segments.  So a broadcast may not reach your router.

In order for the broadcast to reach the router, you need to have a switch that supports "bootp" forwarding.  The switch would look at all broadcasts IP level and forward bootp datagrams to a destination you specify in the switch.  On Cisco switches this is called an ip helper address.

Now once the router gets this, the router needs to be VLAN aware so that it can assign a DHCP address to the appropriate IP subnet.

Each VLAN (LAN segment) needs to have its own IP subnet.

Now for the big question.  Why do you want to segment the LAN?  Eighteen totally devices is not that many.  We have 400 devices on the same IP subnet/VLAN segment and have NO performance problems.
0
 

Author Comment

by:JoeBoyd
ID: 37729729
Thanks giltjr!  Boy, this was a great explanation!! It helps alot.  I will check my router and the switch I was looking at getting to see if they have they features.

Your question, why do I want to segment?  Actually from technical or practical standpoint I don't need to, but, I want to keep everyone on the network from seeing everyone elses PCs.  You see this is a small office building that I own and I have about 8 different tenants, which are 8 different companies. Some companies have one PC and some have 3 or 4 PCs or devices.  One or two of them don't like the idea that when they look at all the devices on the network they can see everyone else's PCs or printers also and thus other companies can see their devices.  I know they can user password protected accounts but they just don't like the idea of "seeing" them.

Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37730403
Ah,  then it may be a bit more expensive, but I would look into getting either a L3 switch or a multi-port router that support VLAN'ing and some level of firewall support.

Creating VLAN's will not necessary prevent one tenant from finding/seeing another's computers.

You would need the ability to block traffic between VLAN's while still allowing traffic to/from the Internet.

Basically you would add another "router" between your tenant's and the router to the Internet.
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 37730437
If you have the budget I would suggest a basic Layer 3 (L3) switch to create the desired vlans. You can then assign switch ports into the desired vlans, depending on the company.

You can then use access control lists (ACLs) to prevent traffic from either vlan from "seeing" traffic in other vlans.

One interface on the switch would have an ip address and connect into your router, and you would set a default route on your switch to route all traffic outside of the local network to that IP.

ip route 0.0.0.0 0.0.0.0 192.168.10.254 255.255.255.252 (would be an example - allow all traffic to a set IP)
0
 

Author Closing Comment

by:JoeBoyd
ID: 37788625
Thanks for the detailed help.  Your answers not only help point me in the right direction but they also taught me a couple things about this topic which I am very weak in.  I do apologize for taking so long to get back to you.  Thanks also for continuing to answer my follow up questions.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Is your computer hacked? learn how to detect and delete malware in your PC
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now