Solved

Subnet Routing

Posted on 2014-02-21
13
281 Views
Last Modified: 2014-03-01
Hello,

I have a network with 8 wired subnets.  Each subnet has  must have access to the ISP router. How do I set up the routers to achieve this?
0
Comment
Question by:keyboard53
  • 5
  • 5
  • 3
13 Comments
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Add all the subnets in the Source List ACL, and NAT at the edge router.

All subnets can reach the isp gateway.

Do you want isp router to see all your subnets?
0
 
LVL 5

Expert Comment

by:Kwoof
Comment Utility
If you don't have access to change info on the ISP router, then put a router in place between the ISP router and your switch to the subnets.  Most business routers have the ability to add multiple lan addresses.  Set one address for each of the subnets and set those as the gateway on the subnet computers.
0
 

Author Comment

by:keyboard53
Comment Utility
Subnet routing is new me so I'm still a bit confused.  If I have 8 subnets, do I need 8 routers?  Regarding the subnets, I'm trying to isolate them from one another, but I still want to give all subnets access to the Internet.  Do the subnets need to see the ISP router in this case?
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
No, you dont need separate routers for each subnets. You only need subinterfaces configured roiters interface connecting to the switch.

Create an acl with all those subnets and configure nat rule using that acl.

To isolate the subnets from each other, you can create other acls and apply them to the subinterfaces.
0
 

Author Comment

by:keyboard53
Comment Utility
So if each subnet has its own switch, do I connect the switches together, and then have the edge router connected to the switch in the wiring closet with the dmarc?
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Each subnet can be in a single switch, or multiple subnets can be in a single switch using vlans.

The smartest way is to make vlans within switch and assign different switchports to different vlans. Then create the port connecting to the router as trunk.

On the router port connecting to the switch, create subinterfaces for each vlans. This subinterface ip is the default gateway address for clients in different vlans.

Connect another port of the router towards isp router.

Please tell what equipments you are using so to give you more specific configurations.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:keyboard53
Comment Utility
I have several departments whose network access must be kept separate from each other for security reasons but each department needs Internet access.  There are over 200 hosts, i.e. workstations and printers within the 8 subnets.  It seems to me that in order to do what you suggest, I would need a centrally located switch pool, i.e. multiple switches connected together to get the required number of host network connections.  Also, what do you mean by "Connect another port of the router towards isp router." ?  Which router?  I thought routers had only two ports, one facing the subnet and the other connecting to another subnet.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 125 total points
Comment Utility
Your network might look something like below
DiagramWe can then use ACLs or VLAN access-maps to isolate them from each other. Link Here

If your switches support PrivateVLAN, that could also be a smarter possibility.
0
 
LVL 5

Accepted Solution

by:
Kwoof earned 125 total points
Comment Utility
some routers also have a switch built-in as well.  Are your computers on static IPs, or do they use DHCP?  There are many ways you could setup this network with simple switches and routers, or with more expensive switches, you can setup VLANs .

You could setup a "tree" where each department has it's own network where they connect to a department switch that goes to a router that is connected to the ISP router (through a switch connected to the ISP router as needed to support 8 connections).  This would allow each department router to handle its own DHCP and keep complete isolation.

Or if there is some need for potential sharing of some resources, a main router can be setup connected to the ISP router for the internet and connected to switch(es) to connect to all the other computers.  This main router would be configure to have a multiple LAN addresses to allow access from each of the subnets.  Then you need to make sure the workstations are configured as static IPs to make sure they are on their own subnet, or use DHCP scopes and lease reservations to make sure they are assigned an IP address on the correct subnet.

Make sure to document the network architecture and establish procedures for your IT staff to make sure computer/equipment additions and removals are handled properly.

Will they be accessing any common resources like an exchange server, SQL server, etc.  Make sure to configure a zone for those resources.
0
 

Author Comment

by:keyboard53
Comment Utility
I'm beginning to see what is possible.  The last suggestions and diagrams were very helpful.
 
However, could I have "department" switches (instead of hubs)  connected to a "sub-root" switch on the first floor and other "department" switches connected to a "sub-root" switch on the second floor, with these "sub-root" switches connected to a backbone (main root) switch that is connected to a router for Internet access?   If that would work,  how would I set up the VLANs such that computers on different floors would be part of the same VLAN?  

Finally, would subnets need to be involved in this scenario?
0
 

Author Comment

by:keyboard53
Comment Utility
It's been some time since I've received a response to my last questions so I'm assuming they have already been answered.  If this is so, please respond and I will distribute the points.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 125 total points
Comment Utility
You connect each departments switches together in each floor.. Connect one of the switches from the floor to the central switch. It would be better if you connect multiple cables bundled together to the core switch that way you get aggregated bandwidth and also redundancy.. The core can then connect to the Internet facing router.

Create different vlans for different vlans. You need to create the vlans on all the switches. And on the trunk link between the switches, you can manually define that to allow your created vlans. This way all the switches are aware of the presence of the VLANs. Now you need to configure each port connecting to the hosts to their respective vlans. No matter where a host is connected, as long as they are in the same vlan, the communication is allowed.

A vlan typically contains a single subnet. So for each vlan, you need to have different subnets.  If you need intervlan communication, you can configure that on the core switch.
0
 
LVL 5

Assisted Solution

by:Kwoof
Kwoof earned 125 total points
Comment Utility
Yes, you can hook up the switches as you suggest.  I almost always have a main switch on each floor, then connect those floor switches to the main switch in the IT room.  It simplifies the cabling.  You would still establish subnet for each department if you want to keep them logically separated.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now