?
Solved

Setting up a multi segment network in office

Posted on 2014-03-31
5
Medium Priority
?
437 Views
Last Modified: 2014-07-22
In our office we are looking to segment out our LAN with another wireless and wired LAN.

Essentially, we have a 48 port switch with a firewall and DHCP running off a server.  Ideally we would like to have out 1.0/24 network separate from another say 2.0/24 subnet.  On the second subnet we want to give them the ability to utilize the same ISP as the 1.0/24 but prevent the two networks from talking to each other thus keeping traffic separate.  Maybe I am overthinking this?

Also, is there a way to give a portion of the 2.0/24 access to some of the server on 1.0/24?

Thanks.
0
Comment
Question by:jhuntin
5 Comments
 
LVL 43

Accepted Solution

by:
Rob earned 2000 total points
ID: 39968827
I'm sure there would be a way to do it all on one device but I would just use one or more routers (called that to route from one network to another).

1.0/24 network =======>[router 1]======>[ISP modem/router]
                                                                                                 ||
                                                                                                 ||
                                                                                                 ||
2.0/24 network =======>[router 2]===============||

What I can't answer is what serves addresses to the 2.0/24 subnet?
0
 
LVL 17

Expert Comment

by:pergr
ID: 39968889
The way to do this is to connect the isp connection into a firewall, that will have two different LAN networks.

These two lan can be two different switches, or two different VLAN.

A cheap simple firewall to do this one is the FortiGate 20. It can be configured to not allow any traffic at all between zones, or to allow traffic to just some servers.

Alternatively, you put the servers on a third lan, and configure access with more granularity.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 39969050
A layer 3 switch with sufficient ports for both networks will do this. Or it could be done with two switches and a router with three ports, or with one switch with two VLANS and a two port VLAN aware router. The router, which a part of the switch or a separate  device mush have the ability to implement access lists to control cross network access.
0
 

Author Comment

by:jhuntin
ID: 39971266
the 2.0/24 network will have devices on it that are going to be publicly accessible for customers so we don't want to have them with the ability to get access to devices on 1.0/24 which is why the segmentation.

If I use a layer 3 with 2 VLAN's I could point the networks for outbound to the one gateway I presume?  Then you are saying that the router could allow cross talk between the VLAN's for MAC address or IP addresses I choose? (Pending it has the functionality to do so?)
0
 
LVL 17

Expert Comment

by:pergr
ID: 39971321
Each network will have its own gateway, for example, 1.1/24 and 2.1/24.

Assuming you do not have public IP addresses for the second network, you will have to set up NAT on the router/firewall for public access.

If you use a Layer 3 switch, you will have configure on it "access lists" or "firewall rules" or what ever the switch vendor calls them. Still these are "stateless" (looking at every packet individually and not as a packet flow) and less secure than a stateful firewall.

The access across VLAN/networks are based on IP, not MAC.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question