?
Solved

Setting up a multi segment network in office

Posted on 2014-03-31
5
Medium Priority
?
429 Views
Last Modified: 2014-07-22
In our office we are looking to segment out our LAN with another wireless and wired LAN.

Essentially, we have a 48 port switch with a firewall and DHCP running off a server.  Ideally we would like to have out 1.0/24 network separate from another say 2.0/24 subnet.  On the second subnet we want to give them the ability to utilize the same ISP as the 1.0/24 but prevent the two networks from talking to each other thus keeping traffic separate.  Maybe I am overthinking this?

Also, is there a way to give a portion of the 2.0/24 access to some of the server on 1.0/24?

Thanks.
0
Comment
Question by:jhuntin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 43

Accepted Solution

by:
Rob earned 2000 total points
ID: 39968827
I'm sure there would be a way to do it all on one device but I would just use one or more routers (called that to route from one network to another).

1.0/24 network =======>[router 1]======>[ISP modem/router]
                                                                                                 ||
                                                                                                 ||
                                                                                                 ||
2.0/24 network =======>[router 2]===============||

What I can't answer is what serves addresses to the 2.0/24 subnet?
0
 
LVL 17

Expert Comment

by:pergr
ID: 39968889
The way to do this is to connect the isp connection into a firewall, that will have two different LAN networks.

These two lan can be two different switches, or two different VLAN.

A cheap simple firewall to do this one is the FortiGate 20. It can be configured to not allow any traffic at all between zones, or to allow traffic to just some servers.

Alternatively, you put the servers on a third lan, and configure access with more granularity.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 39969050
A layer 3 switch with sufficient ports for both networks will do this. Or it could be done with two switches and a router with three ports, or with one switch with two VLANS and a two port VLAN aware router. The router, which a part of the switch or a separate  device mush have the ability to implement access lists to control cross network access.
0
 

Author Comment

by:jhuntin
ID: 39971266
the 2.0/24 network will have devices on it that are going to be publicly accessible for customers so we don't want to have them with the ability to get access to devices on 1.0/24 which is why the segmentation.

If I use a layer 3 with 2 VLAN's I could point the networks for outbound to the one gateway I presume?  Then you are saying that the router could allow cross talk between the VLAN's for MAC address or IP addresses I choose? (Pending it has the functionality to do so?)
0
 
LVL 17

Expert Comment

by:pergr
ID: 39971321
Each network will have its own gateway, for example, 1.1/24 and 2.1/24.

Assuming you do not have public IP addresses for the second network, you will have to set up NAT on the router/firewall for public access.

If you use a Layer 3 switch, you will have configure on it "access lists" or "firewall rules" or what ever the switch vendor calls them. Still these are "stateless" (looking at every packet individually and not as a packet flow) and less secure than a stateful firewall.

The access across VLAN/networks are based on IP, not MAC.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month8 days, 12 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question