Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Subnet Routing

Posted on 2014-02-21
13
284 Views
Last Modified: 2014-03-01
Hello,

I have a network with 8 wired subnets.  Each subnet has  must have access to the ISP router. How do I set up the routers to achieve this?
0
Comment
Question by:keyboard53
  • 5
  • 5
  • 3
13 Comments
 
LVL 11

Expert Comment

by:Miftaul
ID: 39878554
Add all the subnets in the Source List ACL, and NAT at the edge router.

All subnets can reach the isp gateway.

Do you want isp router to see all your subnets?
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39878580
If you don't have access to change info on the ISP router, then put a router in place between the ISP router and your switch to the subnets.  Most business routers have the ability to add multiple lan addresses.  Set one address for each of the subnets and set those as the gateway on the subnet computers.
0
 

Author Comment

by:keyboard53
ID: 39878771
Subnet routing is new me so I'm still a bit confused.  If I have 8 subnets, do I need 8 routers?  Regarding the subnets, I'm trying to isolate them from one another, but I still want to give all subnets access to the Internet.  Do the subnets need to see the ISP router in this case?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 11

Expert Comment

by:Miftaul
ID: 39878780
No, you dont need separate routers for each subnets. You only need subinterfaces configured roiters interface connecting to the switch.

Create an acl with all those subnets and configure nat rule using that acl.

To isolate the subnets from each other, you can create other acls and apply them to the subinterfaces.
0
 

Author Comment

by:keyboard53
ID: 39878785
So if each subnet has its own switch, do I connect the switches together, and then have the edge router connected to the switch in the wiring closet with the dmarc?
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39878793
Each subnet can be in a single switch, or multiple subnets can be in a single switch using vlans.

The smartest way is to make vlans within switch and assign different switchports to different vlans. Then create the port connecting to the router as trunk.

On the router port connecting to the switch, create subinterfaces for each vlans. This subinterface ip is the default gateway address for clients in different vlans.

Connect another port of the router towards isp router.

Please tell what equipments you are using so to give you more specific configurations.
0
 

Author Comment

by:keyboard53
ID: 39879149
I have several departments whose network access must be kept separate from each other for security reasons but each department needs Internet access.  There are over 200 hosts, i.e. workstations and printers within the 8 subnets.  It seems to me that in order to do what you suggest, I would need a centrally located switch pool, i.e. multiple switches connected together to get the required number of host network connections.  Also, what do you mean by "Connect another port of the router towards isp router." ?  Which router?  I thought routers had only two ports, one facing the subnet and the other connecting to another subnet.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 125 total points
ID: 39879202
Your network might look something like below
DiagramWe can then use ACLs or VLAN access-maps to isolate them from each other. Link Here

If your switches support PrivateVLAN, that could also be a smarter possibility.
0
 
LVL 5

Accepted Solution

by:
Kwoof earned 125 total points
ID: 39879704
some routers also have a switch built-in as well.  Are your computers on static IPs, or do they use DHCP?  There are many ways you could setup this network with simple switches and routers, or with more expensive switches, you can setup VLANs .

You could setup a "tree" where each department has it's own network where they connect to a department switch that goes to a router that is connected to the ISP router (through a switch connected to the ISP router as needed to support 8 connections).  This would allow each department router to handle its own DHCP and keep complete isolation.

Or if there is some need for potential sharing of some resources, a main router can be setup connected to the ISP router for the internet and connected to switch(es) to connect to all the other computers.  This main router would be configure to have a multiple LAN addresses to allow access from each of the subnets.  Then you need to make sure the workstations are configured as static IPs to make sure they are on their own subnet, or use DHCP scopes and lease reservations to make sure they are assigned an IP address on the correct subnet.

Make sure to document the network architecture and establish procedures for your IT staff to make sure computer/equipment additions and removals are handled properly.

Will they be accessing any common resources like an exchange server, SQL server, etc.  Make sure to configure a zone for those resources.
0
 

Author Comment

by:keyboard53
ID: 39884482
I'm beginning to see what is possible.  The last suggestions and diagrams were very helpful.
 
However, could I have "department" switches (instead of hubs)  connected to a "sub-root" switch on the first floor and other "department" switches connected to a "sub-root" switch on the second floor, with these "sub-root" switches connected to a backbone (main root) switch that is connected to a router for Internet access?   If that would work,  how would I set up the VLANs such that computers on different floors would be part of the same VLAN?  

Finally, would subnets need to be involved in this scenario?
0
 

Author Comment

by:keyboard53
ID: 39885575
It's been some time since I've received a response to my last questions so I'm assuming they have already been answered.  If this is so, please respond and I will distribute the points.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 125 total points
ID: 39885614
You connect each departments switches together in each floor.. Connect one of the switches from the floor to the central switch. It would be better if you connect multiple cables bundled together to the core switch that way you get aggregated bandwidth and also redundancy.. The core can then connect to the Internet facing router.

Create different vlans for different vlans. You need to create the vlans on all the switches. And on the trunk link between the switches, you can manually define that to allow your created vlans. This way all the switches are aware of the presence of the VLANs. Now you need to configure each port connecting to the hosts to their respective vlans. No matter where a host is connected, as long as they are in the same vlan, the communication is allowed.

A vlan typically contains a single subnet. So for each vlan, you need to have different subnets.  If you need intervlan communication, you can configure that on the core switch.
0
 
LVL 5

Assisted Solution

by:Kwoof
Kwoof earned 125 total points
ID: 39888165
Yes, you can hook up the switches as you suggest.  I almost always have a main switch on each floor, then connect those floor switches to the main switch in the IT room.  It simplifies the cabling.  You would still establish subnet for each department if you want to keep them logically separated.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question