Solved

Setting up a multi segment network in office

Posted on 2014-03-31
5
404 Views
Last Modified: 2014-07-22
In our office we are looking to segment out our LAN with another wireless and wired LAN.

Essentially, we have a 48 port switch with a firewall and DHCP running off a server.  Ideally we would like to have out 1.0/24 network separate from another say 2.0/24 subnet.  On the second subnet we want to give them the ability to utilize the same ISP as the 1.0/24 but prevent the two networks from talking to each other thus keeping traffic separate.  Maybe I am overthinking this?

Also, is there a way to give a portion of the 2.0/24 access to some of the server on 1.0/24?

Thanks.
0
Comment
Question by:jhuntin
5 Comments
 
LVL 42

Accepted Solution

by:
Rob Jurd, EE MVE earned 500 total points
Comment Utility
I'm sure there would be a way to do it all on one device but I would just use one or more routers (called that to route from one network to another).

1.0/24 network =======>[router 1]======>[ISP modem/router]
                                                                                                 ||
                                                                                                 ||
                                                                                                 ||
2.0/24 network =======>[router 2]===============||

What I can't answer is what serves addresses to the 2.0/24 subnet?
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
The way to do this is to connect the isp connection into a firewall, that will have two different LAN networks.

These two lan can be two different switches, or two different VLAN.

A cheap simple firewall to do this one is the FortiGate 20. It can be configured to not allow any traffic at all between zones, or to allow traffic to just some servers.

Alternatively, you put the servers on a third lan, and configure access with more granularity.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
A layer 3 switch with sufficient ports for both networks will do this. Or it could be done with two switches and a router with three ports, or with one switch with two VLANS and a two port VLAN aware router. The router, which a part of the switch or a separate  device mush have the ability to implement access lists to control cross network access.
0
 

Author Comment

by:jhuntin
Comment Utility
the 2.0/24 network will have devices on it that are going to be publicly accessible for customers so we don't want to have them with the ability to get access to devices on 1.0/24 which is why the segmentation.

If I use a layer 3 with 2 VLAN's I could point the networks for outbound to the one gateway I presume?  Then you are saying that the router could allow cross talk between the VLAN's for MAC address or IP addresses I choose? (Pending it has the functionality to do so?)
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
Each network will have its own gateway, for example, 1.1/24 and 2.1/24.

Assuming you do not have public IP addresses for the second network, you will have to set up NAT on the router/firewall for public access.

If you use a Layer 3 switch, you will have configure on it "access lists" or "firewall rules" or what ever the switch vendor calls them. Still these are "stateless" (looking at every packet individually and not as a packet flow) and less secure than a stateful firewall.

The access across VLAN/networks are based on IP, not MAC.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Resolve DNS query failed errors for Exchange
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now