Solved

Isolate Network users in a shared Office Environment

Posted on 2013-05-29
14
685 Views
Last Modified: 2013-06-05
I know this is a topic that's been discussed many times in various ways, but each and every case is so different that I couldn't find a solid answer...

I'm (re)networking an office where about 50-60 individual users share the internet. The users have no relation to each other (sort of like at an airport, except each user is wired). Currently the office is setup with unmanaged switches and a RV042G gateway/router (which does failover on the WAN). This setup is causing issues with reliability, bandwidth, security, malware, management, and overall legal reasons.

The goal is to isolate each user/switch-port from each other, while still allowing a single DHCP server to serve them all. Many of the users have laptops so static IP's are not an option.

I'm thinking of installing switches such as Dlink DGS-1210 and giving each port an untagged VLAN. Then setting one port on each switch tagged and that port connects to the router.

However, I DON'T want to have to setup an individual subnet and DHCP range for each vlan. Furthermore, I can't see anywhere that the DGS-1210 's have an iphelper of any sort.

How can I make this work with a limited budget?
0
Comment
Question by:JohnnyIT
  • 8
  • 3
  • 3
14 Comments
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39206423
Maybe the cheapest solution would be to install WiFi cards into each PC and setup Wireless LAN access for all. No wires.
It is just a checkbox "Isolate users" in some roboust wireless access point, like Ruckus 7363 or better (you get it for 500 EUR and it covers 2-3 times more than other brands!)
http://www.ruckuswireless.com/products/zoneflex-indoor/7363

All other solutions add complexity or are pricy:
VLAN would need a subnet on DHCP for each port and trunking ports to router. Cisco managed switches would do that, but your router would not support so many VLANs and so many DHCP subnets.
You could also virtualize a bunch of routers on one or two hosts, filled with 4-port LAN adapters, but this is an exotic solution. I setup once such a solution for 4 subnets, just for fun. Installed one virtual Linux firewall (don't remember which one, Vyatta or Sonicwall...don't know), set it to get WAN via DHCP, setup one subnet 10.10.1.1. then I copied it over 3 times, changed LAN settings to 10.10.2.1, 10.10.3.1 and 10.10.4.1, linked them to separate HW LAN adapter each...and voila, I had 4 totaly separated LAN connectors :)
0
 
LVL 2

Author Comment

by:JohnnyIT
ID: 39206701
You're correct that what I'm after is similar to "AP isolation" which many wireless routers/AP's offer.  Even inexpensive consumer-grade ones for that matter.    However, installing wireless cards in computers we don't own is not feasible because we don't own them, performance would be terrible, and we'd have to build out a robust set of AP's in the large office.

Nonetheless, thank you for your suggestions.

I'm hoping someone knows whether or not the DGS-1210's or some other switches in that price range have some sort of iphelper or not.   The DGS-1210's have an impressive spec sheet for the price, so that's what drew me to them.  They have features that will help in our case like DHCP snooping/screening, but there's no mention of iphelper or similar feature.  I then also have the issue of passing only DHCP to all the ports.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39207135
Consider using a Sonicwall UTM device running Guest services on the LAN. This will isolate all users, and only permit internet access. You don't mention if there are any other local resources that need to be accessed, but if so they could be configure. The Sonicwall will also perform the DHCP function while handling all the security issues.
0
 
LVL 2

Author Comment

by:JohnnyIT
ID: 39207707
That makes sense, but how would the sonicwall prevent the switches from passing or broadcasting traffic amongst each other?  It seems to me that this is something that must be accomplished at the switch level.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39207743
One way would be to run each switch to a port on the Sonicwall (assigned a zone) and define the rules for what is and is not permitted between them. This would control traffic between users connected to different switches, but not the same one.

Also, since the Sonicwall would be the default gateway, I believe having a single LAN and setting Guest Services for it, would prevent a user from going back to another on the same LAN.
0
 
LVL 2

Author Comment

by:JohnnyIT
ID: 39208195
There's 50-60 users, none of which should see each other.  If the switch doesn't isolate them somehow (VLAN or otherwise) then they will still be able to see each other.  Your idea would work excellent for a small number of users, and I will keep that in mind, thanks.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39208258
Can you be more specific about what you mean by "see each other"?

How man switches are there?

Area all 50-60 users on the same lan (no vlans)?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Author Comment

by:JohnnyIT
ID: 39208266
It sounds like what I'm after is the "Protected Ports" feature as described here: https://supportforums.cisco.com/thread/161986

Any ideas the least expensive switch that supports that feature or equivalent?
0
 
LVL 2

Author Comment

by:JohnnyIT
ID: 39208330
Currently, there are five(5) 24-port switches (some users have multiple computers/ports).  Currently no VLANS.  

It really looks like "PVLANS" and/or the "Protected Ports" feature from either Cisco or HP is what I'm after.  Now I'm just trying to find the most cost-effective switch that does it.
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 350 total points
ID: 39210077
Well, sorry for my late reply.
D-link's DES-1100-16 for example (and other d-link's Smart series) will let you do port isolation by setting each port to be a member only of itself and group with port 1, for example. So each port is on its own and also member of VLAN group with port 1.
Then connect port 1 to router, if you have4 switches, connect them to 4 router's LAN ports, and voila, off you go with members isolated.

Computers will be able to ping/access router, but will not ping/access each others.

Beside that, router will be able to deliver DHCP to port 1 of all switches, so all computers will get IP settings from router.
0
 
LVL 2

Author Comment

by:JohnnyIT
ID: 39210910
Thanks Labsy.  Do you mean those switches have a special settings for some type of "port isolation" or just that I could accomplish my goal with VLAN's ?
0
 
LVL 2

Accepted Solution

by:
JohnnyIT earned 0 total points
ID: 39211024
Your comment made me go look into Dlink again in case I had missed something, and sure enough... I did!!

Dlink has a feature they call "Traffic Segmentation".  I read about it here:  ftp://ftp.dlink.es/FAQs/TS_AV.pdf

It's essentially the same as "Protected Ports" in Cisco and HP ProCruve Switches, except that it's offered on switches as cheap as DES-1100.  However, I also need some extra security features such as DHCP Screening (to prevent rogue dhcp servers), so the cheapest switch which offers Traffic Segmentation AND DHCP screening is the D-Link DGS-1210, which coincidentally was my hope.

Now why "Traffic Segmentation" isn't better documented, who knows.  A user could save thousands in switch cost, or hours of configuration with that simple feature.  Thanks Dlink!
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39211835
Excellent discovery!
I admit I also learned a bit about that feature, which might help me in the future.
0
 
LVL 2

Author Closing Comment

by:JohnnyIT
ID: 39221487
Labsy was helpful in making me explore Dlink a little further, but in the end I found the exact feature I was looking for by researching.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
USB Error 20 97
Create remote access home server 4 82
OWA and AppPool problem 20 112
stacking Catalyst 3650 20 16
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now