Re: Best solution to segment subnets

Vince wrote:
Hi all,

with this scenario...

Subnet A 192.168.1.0
Subnet B 192.168.2.0
Subnet C 192.168.3.0
Switch
ADSL Router 192.168.0.1
Windows 2003 server 2 NIC's (Roles: DC active directory, File sharing server, mail server)
- NIC 192.168.1.1
- NIC 192.168.0.3

Wich is the best practice to segment this networks? Should i set up RRAS service in the server too? I need subnets don't see eachother but have access to internet. Could you help me?

Regards.

This is not a real easy problem if your ADSL router will only listen to 192.168.0.0/24. You also haven't told us anything about the physical layout of your network. If all the computers in each subnet are connected on their own physical segment (rather than sharing the "wire" with other subnets), and if their Internet access needs are basic, you could just put another SOHO NAT router between each subnet and the ADSL router, i.e.

ADSL ROUTER (192.168.0.1)
/ | \
192.168.0.2 192.168.0.3 192.168.0.4
Router-A Router-B Router-C
192.168.1.1 192.168.2.1 192.168.3.1

If the computers are sharing the same wire, the only real way to separate them is using VLANs. Each port on a managed layer-2 switch or multiple connected managed switches is configured for a separate VLAN. Links between switches are configured to "trunk" all 3 VLANs. Computers in subnet A are connected to ports configured for VLAN 1, subnet B to VLAN 2, etc. Then there is no possibility of communication between VLANS. You would still need the 3 extra routers. Something like this:

ADSL ROUTER (192.168.0.1)
/ | \
192.168.0.2 192.168.0.3 192.168.0.4
Router-A Router-B Router-C
192.168.1.1 192.168.2.1 192.168.3.1
\ | /
\ | /
-------------------------------------
| VLAN 1 VLAN2 VLAN 3 |
| SWITCH #1 |
| VLAN 1 VLAN2 VLAN 3 |
-------------------------------------
/ TRUNK | \
VL-1 Computer | VL-2 Computer VL-3 Computer
192.168.1.x | 192.168.2.x 192.168.3.x
|
TRUNK
-------------------------------------
| |
| SWITCH #2 |
| VLAN 1 VLAN2 VLAN 3 |
-------------------------------------
/ | \
VL-1 Computer VL-2 Computer VL-3 Computer
192.168.1.x 192.168.2.x 192.168.3.x

In this configuration, Computers connected to VLAN 1 ports on either switch can connect to other computers connected to VLAN 1 ports on either switch, but cannot connect to computers plugged into VLAN 2 or 3 ports. Check out Foundry Networks 2402CF switches. They're about $850 US street price. Very capable switches for a fraction of the price of a similar unit from that other company.

....kurt
.

Relevant Pages

  • Re: Best solution to segment subnets
    ... Foundry Networks 2402CF switches awasome models, ... ADSL router ... multiple connected managed switches is configured for a separate VLAN. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Single domain two IP subnets
    ... Only layer-3 switches do both. ... thus to move traffic from one VLAN to another is a ROUTING ... there are switches that do both. ... Layer-2 managed switch on each dependent subnet, ...
    (microsoft.public.win2000.dns)
  • Re: arp-proxy
    ... >> If I was to subnet these addresses so that all the sustomers would get ... Multiple customers could share a VLAN ... Packetfront's ASR line of layer 3 switches ...
    (freebsd-net)
  • Re: Many 802.1q tagged vlans, 1 Cisco 2621 router
    ... the router to allow any traffic no matter want tagged VLAN they are ... the same IP subnet, and likewise all hosts and VLANs talking to FE0/1 ... capable switches, but that is not a possibility right now. ...
    (comp.dcom.sys.cisco)
  • Re: How to set my MAC address
    ... because the VLAN isolation fails between the wifi side and the wired ... ports that I started experimenting with the 2nd subnet feature. ... there is no option to isolate the wireless from the VLAN. ... give out the password of my own wifi network, ...
    (uk.comp.sys.mac)