Solved

VLAN configuration for separate networks sharing a network printer

Posted on 2013-05-14
6
1,516 Views
Last Modified: 2013-11-14
Hi,

I have a Netgear FS726T, a Linksys E1200, Linksys E1500 and Linksys 5 port 10/100 switch.  Now, first off, don't blame me for the hardware I'm working with.  I was just thrown into this project.  

I have eight Windows 7 workstations that need to be in their own VLAN.  Another two Windows 7 workstations that need to be separate from the other eight.  The eight can't see the two and the two can't see the eight.  But all ten Windows 7 workstations need to be able to see the Ricoh network printer.  Currently, the Ricoh is plugged into the Linksys 5 port 10/100 switch.  This switch is also connected to a LAN port on both the E1200 (192.168.1.x) and the E1500 (192.168.0.x). I see what the last guy was trying to do but the networks bleed together and both the networks can see each other.  

My first question is, do I have the right hardware for what I want to accomplish?

Second, if I do have the right hardware and able to set it up with VLAN on the Netgear switch.  How do I configure the VLAN for 3 VLANs, groupA, groupB and printer?  Allow groupA and groupB to see printer group but not be able to see each other.

Thanks!
0
Comment
Question by:kendalltech
  • 2
  • 2
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39166805
There are a few options I can think of.
1. Is to create a static route from the both network to point to the ip of the printer
create an access list to only allow the network 192.168.0.x access to the network 192.168.1.x if the destination is 192.168.1.30 (assuming the printer's ip is 192.168.1.30


2. Ideal way Is to create a separate vlan for the printer and create an access list to allow traffic from all other vlans.

You definitely do not have the right gears for this. You need an enterprise level switch and router or layer 3 switch by itself to make the most out of this
0
 
LVL 2

Author Comment

by:kendalltech
ID: 39166831
Thanks Akinsd for your reply and advice.  I was afraid that my equipment wasn't up to the level needed.  I tried several configurations with the Netgear and all the VLAN does is label and group the ports.  There's no other functionality.  Is there anything other than Cisco that you might recommend for this?  Thanks!
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 39168061
*IF* your switch can put two VLANs on one port (without tagging), you should be able to do this..  If that's the case, and you dont have a router, then all the machines need to be on the same subnet..  Make them all 192.168.0.x or 192.168.1.x, but dont mix the two..  We're not going to use IP subnets in this case, we're going to use the VLANs.  Think of the VLANs as separate switches..  Put "group 1" machines into ports connected to one VLAN, and put "group 2" machines into ports configured on a different VLAN.  Put the printer(s) into ports that have both VLANs configured on them.  That way, the printers can accept packets from either VLANs.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 39170064
I work exclusively on Cisco gears and can only recommend Cisco unfortunately. You may be able to find used switches on eBay at low cost.

There is another vlan concept called private vlans, I think that might be what 172pilotSteve is referring to except that you cannot configure 2 data vlans on 1 port (combination is data, voice or video). It requires some deeper understanding and you current switch definitely doesn't support it like you have described.

There are 3 categories of ports you can assign in private vlan.

Promiscuous, Community and Isolated.
PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

   Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
    Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
    Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

With this, you would put the printer in the promiscuous ports, you can then use community or isolated as desired.

I chipped this in just to clear up some things but I know this is not an option for you anyways
0
 
LVL 10

Accepted Solution

by:
172pilotSteve earned 250 total points
ID: 39170117
Yes..  That's the current cisco version of what I'm talking about...  When I did it, it was about 1996 on some old switches that actually let you just pick which vlans would be on which ports, and we did EXACTLY what he's talking about... 2 groups of users who shared one printer.  In our case it was because one group of users wasn't allowed to get on the Internet, so this was how we solved it.  It's been so long, I can't remember what brand of switch it was..  I'm quite sure they're out of business or bought by Extreme or something..

The only other way I can think to do it would be to put a typical home class NAT router in between the printer and the two groups of routers...  One router would have group one on the LAN side, and another identical router would have group 2 on the LAN side, and then on the WAN side of both routers would be the subnet with the printer.  That would effectively isolate the two groups, but I don't know if it would break something else that might be in the network.  If the printer is it, then that might work, and old Linksys WRT-54G or even the router version without the wireless would be fine, and they're cheap on ebay if you don't have one sitting around.

If that doesn't make sense, let me know, and I"ll try to whip up a quick drawing, but also let me know if the Internet is involved in any way, and if so, should either or both groups be allowed or restricted from the Internet..??
0
 
LVL 2

Author Closing Comment

by:kendalltech
ID: 39650248
Thanks!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now