Using unmanaged switches to segment network, what problems?
I have 15 PCs and 3 printers going to a 24 port unmanaged switch. This switch is connected to router with 1 "internet" port and 4 Lan ports. The router internet port is connected to the cable modem and Lan port #1 from the router is connected to a port on the unmanaged switch. The router also acts as the DHCP server. Everything works fine, have internet access on all the PCs and everyone can see everyone elses PC on the network - which is the problem. I want to segment this network into 4 segments. I was thinking of just using 4 unmanaged switches, with one switch going to each of the LAN ports on the router.
1.) Will this work? Will it "isolate" each of the segments so the users on segment 1 let's say can't see the users on segment 2, but all segments and all PCs still have access to the internet.
2.) Will there be a performance hit?
3.) Is there a better way?
Thanks!
1.) Will this work? Will it "isolate" each of the segments so the users on segment 1 let's say can't see the users on segment 2, but all segments and all PCs still have access to the internet.
2.) Will there be a performance hit?
3.) Is there a better way?
Thanks!
The routers lan ports are probably a switch or at least in switch mode on most routers. this will mean you are back to having one network again as it is now.
what router are you using?
what router are you using?
ASKER
Thanks for the quick response. The router is a ZyXel NBG5715, the switch is unmanaged and is a DLink DES-1026G. Oh, and by the way, the cable modem is actually more than that although I only use the cable modem part. But it's a Comcast Business Gateway SMC-D3G.
I thought about the managed switch, in fact, I was looking at the DLink DGS-1210 series. But, I understand that there would be problems with internet access for all the users or with IP assignments since my router is doing the DHCP? Maybe I don't understand this then?
Thanks again!
I thought about the managed switch, in fact, I was looking at the DLink DGS-1210 series. But, I understand that there would be problems with internet access for all the users or with IP assignments since my router is doing the DHCP? Maybe I don't understand this then?
Thanks again!
You can try a approach of statically setting IP address on the same network as follows:
Example
in this example my router's network address running DHCP is 192.168.1.0
Segment 1
You have 15 machines, and you want to segment them into say three networks on the first segment of say three machines you will set the following IPs statically on the selected PCs:
192.168.3.10 / 255.255.255.0
192.168.3.11 / 255.255.255.0
192.168.3.12 / 255.255.255.0
Segment 2
On the second segment of say four PCs you will set the following IP address statically:
192.168.5.10 / 255.255.255.0
192.168.5.11 / 255.255.255.0
192.168.5.12 / 255.255.255.0
192.168.5.13 / 255.255.255.0
Segment 3
Now on the remaining eight PCs I would leave those on dynamic so as to let the router assign addresses automatically. Also
You have now segmented your network using a unmanaged switch that does not support VLANs, however please note that this method creates increased broadcast thus diminishing the performance throughput of your network, maybe not by a noticeable much, but it does affect its performance.
Example
in this example my router's network address running DHCP is 192.168.1.0
Segment 1
You have 15 machines, and you want to segment them into say three networks on the first segment of say three machines you will set the following IPs statically on the selected PCs:
192.168.3.10 / 255.255.255.0
192.168.3.11 / 255.255.255.0
192.168.3.12 / 255.255.255.0
Segment 2
On the second segment of say four PCs you will set the following IP address statically:
192.168.5.10 / 255.255.255.0
192.168.5.11 / 255.255.255.0
192.168.5.12 / 255.255.255.0
192.168.5.13 / 255.255.255.0
Segment 3
Now on the remaining eight PCs I would leave those on dynamic so as to let the router assign addresses automatically. Also
You have now segmented your network using a unmanaged switch that does not support VLANs, however please note that this method creates increased broadcast thus diminishing the performance throughput of your network, maybe not by a noticeable much, but it does affect its performance.
the above method would also segment the lans from the router. you would therefore need a router between each segment and the switchports on the router as you cant route between lan ports on a ZyXel NBG5715
ASKER
Maybe I should just go ahead and get a managed or smart switch then? I take it the one router would work to supply an internet connection to all the PCs no matter which segment they were on and the router could also supply IPs (through it's DHCP) to all the PCs no matter the segemnt? Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks giltjr! Boy, this was a great explanation!! It helps alot. I will check my router and the switch I was looking at getting to see if they have they features.
Your question, why do I want to segment? Actually from technical or practical standpoint I don't need to, but, I want to keep everyone on the network from seeing everyone elses PCs. You see this is a small office building that I own and I have about 8 different tenants, which are 8 different companies. Some companies have one PC and some have 3 or 4 PCs or devices. One or two of them don't like the idea that when they look at all the devices on the network they can see everyone else's PCs or printers also and thus other companies can see their devices. I know they can user password protected accounts but they just don't like the idea of "seeing" them.
Thanks
Your question, why do I want to segment? Actually from technical or practical standpoint I don't need to, but, I want to keep everyone on the network from seeing everyone elses PCs. You see this is a small office building that I own and I have about 8 different tenants, which are 8 different companies. Some companies have one PC and some have 3 or 4 PCs or devices. One or two of them don't like the idea that when they look at all the devices on the network they can see everyone else's PCs or printers also and thus other companies can see their devices. I know they can user password protected accounts but they just don't like the idea of "seeing" them.
Thanks
Ah, then it may be a bit more expensive, but I would look into getting either a L3 switch or a multi-port router that support VLAN'ing and some level of firewall support.
Creating VLAN's will not necessary prevent one tenant from finding/seeing another's computers.
You would need the ability to block traffic between VLAN's while still allowing traffic to/from the Internet.
Basically you would add another "router" between your tenant's and the router to the Internet.
Creating VLAN's will not necessary prevent one tenant from finding/seeing another's computers.
You would need the ability to block traffic between VLAN's while still allowing traffic to/from the Internet.
Basically you would add another "router" between your tenant's and the router to the Internet.
If you have the budget I would suggest a basic Layer 3 (L3) switch to create the desired vlans. You can then assign switch ports into the desired vlans, depending on the company.
You can then use access control lists (ACLs) to prevent traffic from either vlan from "seeing" traffic in other vlans.
One interface on the switch would have an ip address and connect into your router, and you would set a default route on your switch to route all traffic outside of the local network to that IP.
ip route 0.0.0.0 0.0.0.0 192.168.10.254 255.255.255.252 (would be an example - allow all traffic to a set IP)
You can then use access control lists (ACLs) to prevent traffic from either vlan from "seeing" traffic in other vlans.
One interface on the switch would have an ip address and connect into your router, and you would set a default route on your switch to route all traffic outside of the local network to that IP.
ip route 0.0.0.0 0.0.0.0 192.168.10.254 255.255.255.252 (would be an example - allow all traffic to a set IP)
ASKER
Thanks for the detailed help. Your answers not only help point me in the right direction but they also taught me a couple things about this topic which I am very weak in. I do apologize for taking so long to get back to you. Thanks also for continuing to answer my follow up questions.
Some small office routers and switches will do vlans, but as yours is unmanaged (switch) then i doubt that it will.
You could use 4 separate switches and set vlans on the router, or more cost effectively why don't you buy a vlan capable managed switch, and set vlans and access control lists on there?