Solved

Setting up a multi segment network in office

Posted on 2014-03-31
5
416 Views
Last Modified: 2014-07-22
In our office we are looking to segment out our LAN with another wireless and wired LAN.

Essentially, we have a 48 port switch with a firewall and DHCP running off a server.  Ideally we would like to have out 1.0/24 network separate from another say 2.0/24 subnet.  On the second subnet we want to give them the ability to utilize the same ISP as the 1.0/24 but prevent the two networks from talking to each other thus keeping traffic separate.  Maybe I am overthinking this?

Also, is there a way to give a portion of the 2.0/24 access to some of the server on 1.0/24?

Thanks.
0
Comment
Question by:jhuntin
5 Comments
 
LVL 43

Accepted Solution

by:
Rob earned 500 total points
ID: 39968827
I'm sure there would be a way to do it all on one device but I would just use one or more routers (called that to route from one network to another).

1.0/24 network =======>[router 1]======>[ISP modem/router]
                                                                                                 ||
                                                                                                 ||
                                                                                                 ||
2.0/24 network =======>[router 2]===============||

What I can't answer is what serves addresses to the 2.0/24 subnet?
0
 
LVL 17

Expert Comment

by:pergr
ID: 39968889
The way to do this is to connect the isp connection into a firewall, that will have two different LAN networks.

These two lan can be two different switches, or two different VLAN.

A cheap simple firewall to do this one is the FortiGate 20. It can be configured to not allow any traffic at all between zones, or to allow traffic to just some servers.

Alternatively, you put the servers on a third lan, and configure access with more granularity.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 39969050
A layer 3 switch with sufficient ports for both networks will do this. Or it could be done with two switches and a router with three ports, or with one switch with two VLANS and a two port VLAN aware router. The router, which a part of the switch or a separate  device mush have the ability to implement access lists to control cross network access.
0
 

Author Comment

by:jhuntin
ID: 39971266
the 2.0/24 network will have devices on it that are going to be publicly accessible for customers so we don't want to have them with the ability to get access to devices on 1.0/24 which is why the segmentation.

If I use a layer 3 with 2 VLAN's I could point the networks for outbound to the one gateway I presume?  Then you are saying that the router could allow cross talk between the VLAN's for MAC address or IP addresses I choose? (Pending it has the functionality to do so?)
0
 
LVL 17

Expert Comment

by:pergr
ID: 39971321
Each network will have its own gateway, for example, 1.1/24 and 2.1/24.

Assuming you do not have public IP addresses for the second network, you will have to set up NAT on the router/firewall for public access.

If you use a Layer 3 switch, you will have configure on it "access lists" or "firewall rules" or what ever the switch vendor calls them. Still these are "stateless" (looking at every packet individually and not as a packet flow) and less secure than a stateful firewall.

The access across VLAN/networks are based on IP, not MAC.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question