Isolate Network users in a shared Office Environment
I know this is a topic that's been discussed many times in various ways, but each and every case is so different that I couldn't find a solid answer...
I'm (re)networking an office where about 50-60 individual users share the internet. The users have no relation to each other (sort of like at an airport, except each user is wired). Currently the office is setup with unmanaged switches and a RV042G gateway/router (which does failover on the WAN). This setup is causing issues with reliability, bandwidth, security, malware, management, and overall legal reasons.
The goal is to isolate each user/switch-port from each other, while still allowing a single DHCP server to serve them all. Many of the users have laptops so static IP's are not an option.
I'm thinking of installing switches such as Dlink DGS-1210 and giving each port an untagged VLAN. Then setting one port on each switch tagged and that port connects to the router.
However, I DON'T want to have to setup an individual subnet and DHCP range for each vlan. Furthermore, I can't see anywhere that the DGS-1210 's have an iphelper of any sort.
How can I make this work with a limited budget?
I'm (re)networking an office where about 50-60 individual users share the internet. The users have no relation to each other (sort of like at an airport, except each user is wired). Currently the office is setup with unmanaged switches and a RV042G gateway/router (which does failover on the WAN). This setup is causing issues with reliability, bandwidth, security, malware, management, and overall legal reasons.
The goal is to isolate each user/switch-port from each other, while still allowing a single DHCP server to serve them all. Many of the users have laptops so static IP's are not an option.
I'm thinking of installing switches such as Dlink DGS-1210 and giving each port an untagged VLAN. Then setting one port on each switch tagged and that port connects to the router.
However, I DON'T want to have to setup an individual subnet and DHCP range for each vlan. Furthermore, I can't see anywhere that the DGS-1210 's have an iphelper of any sort.
How can I make this work with a limited budget?
ASKER
You're correct that what I'm after is similar to "AP isolation" which many wireless routers/AP's offer. Even inexpensive consumer-grade ones for that matter. However, installing wireless cards in computers we don't own is not feasible because we don't own them, performance would be terrible, and we'd have to build out a robust set of AP's in the large office.
Nonetheless, thank you for your suggestions.
I'm hoping someone knows whether or not the DGS-1210's or some other switches in that price range have some sort of iphelper or not. The DGS-1210's have an impressive spec sheet for the price, so that's what drew me to them. They have features that will help in our case like DHCP snooping/screening, but there's no mention of iphelper or similar feature. I then also have the issue of passing only DHCP to all the ports.
Nonetheless, thank you for your suggestions.
I'm hoping someone knows whether or not the DGS-1210's or some other switches in that price range have some sort of iphelper or not. The DGS-1210's have an impressive spec sheet for the price, so that's what drew me to them. They have features that will help in our case like DHCP snooping/screening, but there's no mention of iphelper or similar feature. I then also have the issue of passing only DHCP to all the ports.
Consider using a Sonicwall UTM device running Guest services on the LAN. This will isolate all users, and only permit internet access. You don't mention if there are any other local resources that need to be accessed, but if so they could be configure. The Sonicwall will also perform the DHCP function while handling all the security issues.
ASKER
That makes sense, but how would the sonicwall prevent the switches from passing or broadcasting traffic amongst each other? It seems to me that this is something that must be accomplished at the switch level.
One way would be to run each switch to a port on the Sonicwall (assigned a zone) and define the rules for what is and is not permitted between them. This would control traffic between users connected to different switches, but not the same one.
Also, since the Sonicwall would be the default gateway, I believe having a single LAN and setting Guest Services for it, would prevent a user from going back to another on the same LAN.
Also, since the Sonicwall would be the default gateway, I believe having a single LAN and setting Guest Services for it, would prevent a user from going back to another on the same LAN.
ASKER
There's 50-60 users, none of which should see each other. If the switch doesn't isolate them somehow (VLAN or otherwise) then they will still be able to see each other. Your idea would work excellent for a small number of users, and I will keep that in mind, thanks.
Can you be more specific about what you mean by "see each other"?
How man switches are there?
Area all 50-60 users on the same lan (no vlans)?
How man switches are there?
Area all 50-60 users on the same lan (no vlans)?
ASKER
It sounds like what I'm after is the "Protected Ports" feature as described here: https://supportforums.cisco.com/thread/161986
Any ideas the least expensive switch that supports that feature or equivalent?
Any ideas the least expensive switch that supports that feature or equivalent?
ASKER
Currently, there are five(5) 24-port switches (some users have multiple computers/ports). Currently no VLANS.
It really looks like "PVLANS" and/or the "Protected Ports" feature from either Cisco or HP is what I'm after. Now I'm just trying to find the most cost-effective switch that does it.
It really looks like "PVLANS" and/or the "Protected Ports" feature from either Cisco or HP is what I'm after. Now I'm just trying to find the most cost-effective switch that does it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Labsy. Do you mean those switches have a special settings for some type of "port isolation" or just that I could accomplish my goal with VLAN's ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Excellent discovery!
I admit I also learned a bit about that feature, which might help me in the future.
I admit I also learned a bit about that feature, which might help me in the future.
ASKER
Labsy was helpful in making me explore Dlink a little further, but in the end I found the exact feature I was looking for by researching.
It is just a checkbox "Isolate users" in some roboust wireless access point, like Ruckus 7363 or better (you get it for 500 EUR and it covers 2-3 times more than other brands!)
http://www.ruckuswireless.com/products/zoneflex-indoor/7363
All other solutions add complexity or are pricy:
VLAN would need a subnet on DHCP for each port and trunking ports to router. Cisco managed switches would do that, but your router would not support so many VLANs and so many DHCP subnets.
You could also virtualize a bunch of routers on one or two hosts, filled with 4-port LAN adapters, but this is an exotic solution. I setup once such a solution for 4 subnets, just for fun. Installed one virtual Linux firewall (don't remember which one, Vyatta or Sonicwall...don't know), set it to get WAN via DHCP, setup one subnet 10.10.1.1. then I copied it over 3 times, changed LAN settings to 10.10.2.1, 10.10.3.1 and 10.10.4.1, linked them to separate HW LAN adapter each...and voila, I had 4 totaly separated LAN connectors :)