Best solution to segment subnets

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all,

with this scenario...

Subnet A 192.168.1.0
Subnet B 192.168.2.0
Subnet C 192.168.3.0
Switch
ADSL Router 192.168.0.1
Windows 2003 server 2 NIC's (Roles: DC active directory, File sharing
server, mail server)
- NIC 192.168.1.1
- NIC 192.168.0.3

Wich is the best practice to segment this networks? Should i set up RRAS
service in the server too? I need subnets don't see eachother but have access
to internet. Could you help me?

Regards.
 
Vince said:
Hi all,

with this scenario...

Subnet A 192.168.1.0
Subnet B 192.168.2.0
Subnet C 192.168.3.0
Switch
ADSL Router 192.168.0.1
Windows 2003 server 2 NIC's (Roles: DC active directory, File sharing
server, mail server)
- NIC 192.168.1.1
- NIC 192.168.0.3

Wich is the best practice to segment this networks? Should i set up RRAS
service in the server too? I need subnets don't see eachother but have access
to internet. Could you help me?

Regards.
Click to expand...

This is not a real easy problem if your ADSL router will only listen to
192.168.0.0/24. You also haven't told us anything about the physical
layout of your network. If all the computers in each subnet are
connected on their own physical segment (rather than sharing the "wire"
with other subnets), and if their Internet access needs are basic, you
could just put another SOHO NAT router between each subnet and the ADSL
router, i.e.

ADSL ROUTER (192.168.0.1)
/ | \
192.168.0.2 192.168.0.3 192.168.0.4
Router-A Router-B Router-C
192.168.1.1 192.168.2.1 192.168.3.1

If the computers are sharing the same wire, the only real way to
separate them is using VLANs. Each port on a managed layer-2 switch or
multiple connected managed switches is configured for a separate VLAN.
Links between switches are configured to "trunk" all 3 VLANs. Computers
in subnet A are connected to ports configured for VLAN 1, subnet B to
VLAN 2, etc. Then there is no possibility of communication between
VLANS. You would still need the 3 extra routers. Something like this:

ADSL ROUTER (192.168.0.1)
/ | \
192.168.0.2 192.168.0.3 192.168.0.4
Router-A Router-B Router-C
192.168.1.1 192.168.2.1 192.168.3.1
\ | /
\ | /
-------------------------------------
| VLAN 1 VLAN2 VLAN 3 |
| SWITCH #1 |
| VLAN 1 VLAN2 VLAN 3 |
-------------------------------------
/ TRUNK | \
VL-1 Computer | VL-2 Computer VL-3 Computer
192.168.1.x | 192.168.2.x 192.168.3.x
|
TRUNK
-------------------------------------
| |
| SWITCH #2 |
| VLAN 1 VLAN2 VLAN 3 |
-------------------------------------
/ | \
VL-1 Computer VL-2 Computer VL-3 Computer
192.168.1.x 192.168.2.x 192.168.3.x

In this configuration, Computers connected to VLAN 1 ports on either
switch can connect to other computers connected to VLAN 1 ports on
either switch, but cannot connect to computers plugged into VLAN 2 or 3
ports. Check out Foundry Networks 2402CF switches. They're about $850 US
street price. Very capable switches for a fraction of the price of a
similar unit from that other company.

....kurt
 
Hi Kurt,

thanks for the quick anwser. Sorry, here is more information.

The problem is that swicthes are not managed, so they don't support Vlan's.
Foundry Networks 2402CF switches awasome models, i didn't know them. But now
we can't afford this cost.

There are three subnets and y don't know if it's posible to segment them
with the nowdays network layout. I have this:

subnet 1
|
switch
|
[Central Rack]
switch--------------------- subnet 3
ADSL router
Windows Server 2003 2 NICs
[Central Rack]
|
switch
|
subnet 2

Router ADSL 192.168.0.1 there is no way to manage this router because my ISP
installed it. I think what i want to do it's no posible, ins't it?

i am wondering if add to my windows 2003 server (DC) RRAS services and
segment this 3 subnets. Of course Vlan's it's the way to go but not posible
nowdays, no managed switches installed.

Sorry about my english.

Regards,
Vince.
 
Vince said:
Hi Kurt,

thanks for the quick anwser. Sorry, here is more information.

The problem is that swicthes are not managed, so they don't support Vlan's.
Foundry Networks 2402CF switches awasome models, i didn't know them. But now
we can't afford this cost.

There are three subnets and y don't know if it's posible to segment them
with the nowdays network layout. I have this:

subnet 1
|
switch
|
[Central Rack]
switch--------------------- subnet 3
ADSL router
Windows Server 2003 2 NICs
[Central Rack]
|
switch
|
subnet 2

Router ADSL 192.168.0.1 there is no way to manage this router because my ISP
installed it. I think what i want to do it's no posible, ins't it?

i am wondering if add to my windows 2003 server (DC) RRAS services and
segment this 3 subnets. Of course Vlan's it's the way to go but not posible
nowdays, no managed switches installed.

Sorry about my english.

Regards,
Vince.
Click to expand...

Your English is fine.

Since you can't manage your ISPs router, the simplest thing to do is add
a router for two subnets (R1 and R2 below). One subnet should be the
same as the ISPs router. If that's not possible, just add another router
for subnet 3 exactly the same as for subnets 1 and 2 below. Note that
these are just cheap SOHO routers that perform NAT. Any $39.95 SOHO
router should do the trick.

subnet 1 192.168.1.x
192.168.1.1 |
R1---------------switch
192.168.0.2 |
| [Central Rack]
ADSL router----------switch-------------------- subnet 3 (192.168.0.x)
192.168.0.1 Windows Server 2003 2 NICs
| [Central Rack]
192.168.0.3 |
R2---------------switch
192.168.2.1 |
subnet 2 192.168.2.x



That'll give you Internet for the other two subnets. I'm assuming the
switches aren't uplinked to each other, but even if they were it would
still work. You'll have a "double-NAT" situation which would give you
problems if you're running L2TP VPNs from subnets 1 or two. Otherwise,
for just general internet stuff (email surfing, etc) it'll work just
fine. You should be able to just configure your extra routers WAN ports
to be DHCP and get those addresses form your ISP's router.

....kurt
 
Hi Kurt,

Thanks again...

switches are uplinked to each other. This scenario will isolate the subnets?
i have a no clear idea of this scenario, maybe so nat routers are confusing
me. I didn't know about so cheap soho routers, they are just nat routers? no
adsl?

subnet 1 and subnet 2 are two room (telematic networks to kids can practise)
in the second floor, i need isolate them from subnet 3 and from each other.
Three subnets need internet.

Regards Kust and sorry i'm a bit confuse.

Kurt said:
Vince said:
Hi Kurt,

thanks for the quick anwser. Sorry, here is more information.

The problem is that swicthes are not managed, so they don't support Vlan's.
Foundry Networks 2402CF switches awasome models, i didn't know them. But now
we can't afford this cost.

There are three subnets and y don't know if it's posible to segment them
with the nowdays network layout. I have this:

subnet 1
|
switch
|
[Central Rack]
switch--------------------- subnet 3
ADSL router
Windows Server 2003 2 NICs
[Central Rack]
|
switch
|
subnet 2

Router ADSL 192.168.0.1 there is no way to manage this router because my ISP
installed it. I think what i want to do it's no posible, ins't it?

i am wondering if add to my windows 2003 server (DC) RRAS services and
segment this 3 subnets. Of course Vlan's it's the way to go but not posible
nowdays, no managed switches installed.

Sorry about my english.

Regards,
Vince.
Click to expand...

Your English is fine.

Since you can't manage your ISPs router, the simplest thing to do is add
a router for two subnets (R1 and R2 below). One subnet should be the
same as the ISPs router. If that's not possible, just add another router
for subnet 3 exactly the same as for subnets 1 and 2 below. Note that
these are just cheap SOHO routers that perform NAT. Any $39.95 SOHO
router should do the trick.

subnet 1 192.168.1.x
192.168.1.1 |
R1---------------switch
192.168.0.2 |
| [Central Rack]
ADSL router----------switch-------------------- subnet 3 (192.168.0.x)
192.168.0.1 Windows Server 2003 2 NICs
| [Central Rack]
192.168.0.3 |
R2---------------switch
192.168.2.1 |
subnet 2 192.168.2.x



That'll give you Internet for the other two subnets. I'm assuming the
switches aren't uplinked to each other, but even if they were it would
still work. You'll have a "double-NAT" situation which would give you
problems if you're running L2TP VPNs from subnets 1 or two. Otherwise,
for just general internet stuff (email surfing, etc) it'll work just
fine. You should be able to just configure your extra routers WAN ports
to be DHCP and get those addresses form your ISP's router.

....kurt
Click to expand...
 
Vince said:
Hi Kurt,

Thanks again...

switches are uplinked to each other. This scenario will isolate the subnets?
i have a no clear idea of this scenario, maybe so nat routers are confusing
me. I didn't know about so cheap soho routers, they are just nat routers? no
adsl?

subnet 1 and subnet 2 are two room (telematic networks to kids can practise)
in the second floor, i need isolate them from subnet 3 and from each other.
Three subnets need internet.

Regards Kust and sorry i'm a bit confuse.
Click to expand...

It won't isolate the subnets if the switches are uplinked to each other.
If all of the subnets are on just one switch, just pull the plug on the
uplinks (I gurarantee that will isolate them! :). If your workstations
on different subnets are spread out all over the building or campus,
VLANs are your only option. SOHO (_S_mall _O_ffice _H_ome _O_ffice) is
just another name for a "broadband" router. They perform "Network
Address Translation" (NAT), just like your ISPs router does (It's LAN
port will have a private 192.168.x.x address, and it's WAN port will
have a publicly routable IP address that all of the private IP address
share). These additional routers will do the same thing, so that traffic
from local private subnets other than 192.168.0.x will be translated to
a 192.168.0 address - which is what your ISPs router is expecting. If
managed switches are not in your budget, maybe you could buy enough
cheap unmanaged switches to physically isolate them.

Also, having the routers WAN ports connected together will not bridge
the private networks.

R1---Switch 1---All subnet 1 computers 192.168.1
192.168.0 /
ADSL Router --R2---Switch 2----All subnet 2 computers 192.168.2
\
R3---Switch 3---All subnet 3 computers 192.168.3

This will give you 100% isolation between subnets, and all subnets will
have Internet access. The only thing you'll have to configure is the LAN
IP address on the 3 routers (and maybe the DHCP scope). Note that for
total isolation, you will require all 3 extra routers.

I use an SMC Barricade 7004VBR router. There are many other good
choices. I think I paid about $45 US.
 
Hi Kurt,

so the switches wouldn't be uplinked each other... the uplink would be the
router, wouldn't be?

Dificult drawing in text :-)

Router 1
/ \
switch --- WAN LAN(192.168.1.0) --- switch --- Subnet 1
192.168.1.0

Router 2
/ \
switch --- WAN LAN(192.168.2.0) --- switch --- Subnet 1
192.168.2.0

What ip will have WAN each WAN router port? 192.168.0.x ? In the central
Rack kurt i have 3 swicthes uplinked, plus each switch on the rack in each
room through Optic fiiber.

This way

room 1 subnet 1
|
Fiber optic Uplinked
|
swicth 1 central rack
|
Ethernet uplinked
|
switch 2 central rack
|
Ethernet uplinked
|
switch 3 central rack

Room 2 the same way, uplinked with Fiber optic to one the swicthes in the
central rack.

So i think i am understanding,

ping from subnet to another subnet not, because wan -> lan (it couldn't be)
But ping from subnet to internet yes, because subnet lan -> NAT(192.168.0.x)
-> wan ok

DHCP scope really necesary?

I am right?

Thank you very much Kurt.
 
Vince said:
Hi Kurt,

so the switches wouldn't be uplinked each other... the uplink would be the
router, wouldn't be?

Dificult drawing in text :-)

Router 1
/ \
switch --- WAN LAN(192.168.1.0) --- switch --- Subnet 1
192.168.1.0

Router 2
/ \
switch --- WAN LAN(192.168.2.0) --- switch --- Subnet 1
192.168.2.0

What ip will have WAN each WAN router port? 192.168.0.x ? In the central
Rack kurt i have 3 swicthes uplinked, plus each switch on the rack in each
room through Optic fiiber.

This way

room 1 subnet 1
|
Fiber optic Uplinked
|
swicth 1 central rack
|
Ethernet uplinked
|
switch 2 central rack
|
Ethernet uplinked
|
switch 3 central rack

Room 2 the same way, uplinked with Fiber optic to one the swicthes in the
central rack.

So i think i am understanding,

ping from subnet to another subnet not, because wan -> lan (it couldn't be)
But ping from subnet to internet yes, because subnet lan -> NAT(192.168.0.x)
-> wan ok

DHCP scope really necesary?

I am right?

Thank you very much Kurt.






So the switches wouldn't be uplinked each other... the uplink would
Click to expand...
be > the router, wouldn't be?

The router would be the path to the Internet from each of the individual
subnet switches. If your link from the classroom switches is fiber
optic, you'll still need a fiber optic port on each of the switches in
the rack for each subnet, or you could use a media converter and go from
there straight into the router. Assuming you use one switc for each
subnet, those switches could not be uplinked without bridging the LAN
segments.

ping from subnet to another subnet not, because wan -> lan (it
couldn't be) But ping from subnet to internet yes,
because subnet lan -> NAT(192.168.0.x) -> wan ok
Click to expand...

Sounds good! You couldn't ping between subnets for two reasons:
1) There are no routes defined between them.
2) NAT routers, by default, block all unsolicited traffic from WAN to
LAN
DHCP scope really necesary?
Click to expand...

Depends on whether you are using DHCP and how DHCP is configured in what
ever routers you choose to buy. As it is now, I'm sure you are NOT using
DHCP, because your workstations would all end up on the wrong IP subnet.
Once you segment them with routers, you could allow each router to give
out DHCP addresses for the subnet they serve. It's probably what I'd do,
just cause it makes things easier. But that, of course is your decision.

....kurt
 
be > the router, wouldn't be?

The router would be the path to the Internet from each of the individual
subnet switches. If your link from the classroom switches is fiber
optic, you'll still need a fiber optic port on each of the switches in
the rack for each subnet, or you could use a media converter and go from
there straight into the router. Assuming you use one switc for each
subnet, those switches could not be uplinked without bridging the LAN
segments.


Sounds good! You couldn't ping betweensubnetsfor two reasons:
1) There are no routes defined between them.
2) NAT routers, by default, block all unsolicited traffic from WAN to
LAN


Depends on whether you are using DHCP and how DHCP is configured in what
ever routers you choose to buy. As it is now, I'm sure you are NOT using
DHCP, because your workstations would all end up on the wrong IP subnet.
Once yousegmentthem with routers, you could allow each router to give
out DHCP addresses for the subnet they serve. It's probably what I'd do,
just cause it makes things easier. But that, of course is your decision.

...kurt- Ocultar texto de la cita -

- Mostrar texto de la cita -
Click to expand...

Hi Kurt,

completly clear now... i think :-)

thank you very much for your help Kurt

All the best,
Vince.
 
Back
Top