Link to home
Start Free TrialLog in
Avatar of Justin H
Justin HFlag for United States of America

asked on

Setting up a multi segment network in office

In our office we are looking to segment out our LAN with another wireless and wired LAN.

Essentially, we have a 48 port switch with a firewall and DHCP running off a server.  Ideally we would like to have out 1.0/24 network separate from another say 2.0/24 subnet.  On the second subnet we want to give them the ability to utilize the same ISP as the 1.0/24 but prevent the two networks from talking to each other thus keeping traffic separate.  Maybe I am overthinking this?

Also, is there a way to give a portion of the 2.0/24 access to some of the server on 1.0/24?

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Rob
Rob
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pergr
pergr

The way to do this is to connect the isp connection into a firewall, that will have two different LAN networks.

These two lan can be two different switches, or two different VLAN.

A cheap simple firewall to do this one is the FortiGate 20. It can be configured to not allow any traffic at all between zones, or to allow traffic to just some servers.

Alternatively, you put the servers on a third lan, and configure access with more granularity.
A layer 3 switch with sufficient ports for both networks will do this. Or it could be done with two switches and a router with three ports, or with one switch with two VLANS and a two port VLAN aware router. The router, which a part of the switch or a separate  device mush have the ability to implement access lists to control cross network access.
Avatar of Justin H

ASKER

the 2.0/24 network will have devices on it that are going to be publicly accessible for customers so we don't want to have them with the ability to get access to devices on 1.0/24 which is why the segmentation.

If I use a layer 3 with 2 VLAN's I could point the networks for outbound to the one gateway I presume?  Then you are saying that the router could allow cross talk between the VLAN's for MAC address or IP addresses I choose? (Pending it has the functionality to do so?)
Each network will have its own gateway, for example, 1.1/24 and 2.1/24.

Assuming you do not have public IP addresses for the second network, you will have to set up NAT on the router/firewall for public access.

If you use a Layer 3 switch, you will have configure on it "access lists" or "firewall rules" or what ever the switch vendor calls them. Still these are "stateless" (looking at every packet individually and not as a packet flow) and less secure than a stateful firewall.

The access across VLAN/networks are based on IP, not MAC.