Setting up a network with separate subgroups

June 13, 2012 at 09:59:20
Specs: Mixed Windows
My situation: I have a 4-port Netgear modem/router (DG834), and need to distribute its Internet connection according to the following criteria:

1. There are 11 access points (3 wired, 8 wireless) across 4 floors of a building – all cabling is from a central point, which will connect through a switch. Cat 5e cabling is in place.
2. The wireless points need Power over Ethernet connections
3. The 4 router ports serve 2 PC’s and a printer in an office, the fourth being the connection to the switch.
4. There must be network separation so that:
- all points have Internet access
- there are three separate groups – one for the office, one for staff (wired) and one for guests (the wireless points), the purpose being to ensure that no user in one group can access any user’s device in the other 2 groups. I’m assuming VLAN is the method for this.
5. Traffic on the network is likely to be fairly low – casual use of the wireless ports, the office PC’s only being used for Internet access and email – no transactional systems, large databases or other resource / network-intensive functions.

Questions:

1. Both the Netgear FS726TP and GS724TP look as if they will do what I want, using WNAP210 wireless access points. Could I achieve the same outcome with 2 x GS108PE switches? Any other hardware recommendations?
2. Do I need any additional hardware?
3. Are there any other considerations I have not thought of?


See More: Setting up a network with separate subgroups

Report •

#1
June 13, 2012 at 11:09:16
3. The 4 router ports serve 2 PC’s and a printer in an office, the fourth being the connection to the switch.

Sorry but wrong. Only the switch should be connected to the router. This office's equipment would be on a vlan.

#4 is correct in that you need 4 vlans. One for each of the three groups and a management vlan.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#2
June 13, 2012 at 12:45:11
If you're going to have multiple subnets, you're going to need a router between your LAN and the internet.

A layer 3 switch will route. If you get an L3 switch that's PoE capable, you can kill 3 birds with one stone.

If you're fluet in Linux/UNIX, you could use a computer running one of those OS's as your router.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#3
June 13, 2012 at 13:15:06
Wanderer, Curt R: Thanks both for your helpful answers. To help clarify my understanding, please comment on the following:

The DG834 is a modem/router. If I understand you correctly, I connect a small VLAN-capable switch such as the GS105E or GS108E to one router port and connect the office devices to this switch in one VLAN. I also set up a management VLAN on this device. I then take a link from this switch to a second switch - which will be in a separate location – and declare that as a third VLAN, I then have two separate subgroups (and a management area), each with Internet access but each unable to access devices in the other subgroup. Assuming the second switch is also VLAN capable, I can then designate further subgroups if I wish. The reason for this physical configuration is that the cables have all been brought to a single point which is not in the office where the router is; ideally I would have positioned a single switch in this location – but as there is only a single cable from here to the office location, I think I have to use this 2-switch solution.


Report •

Related Solutions

#4
June 13, 2012 at 13:51:18
CurtR where is post #1 do you see subnets mentioned?
I don't see it.


xlrtech you would not chain switches together. It only complicates things and you reduce bandwidth to the last switch in the chain. All vlans would need to exist on the trunk connecting the two switches.

given your description you would configure switch A with vlan1 and just put the office on it as well as the port connecting to the router.

configure switch B with vlans 2 and 3 along with the port connecting to the router would have both vlans.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#5
June 13, 2012 at 14:33:18
wanderer

CurtR where is post #1 do you see subnets mentioned?
I don't see it.

I guess I'm making assumptions again. I assumed (yeah, I'm cringing as I say that) that the OP would want to use separate subnets as well as separate VLAN's in order to ensure clear separation between the discrete portions of their network.

As per the OP's original question:

4. There must be network separation so that:
- all points have Internet access
- there are three separate groups – one for the office, one for staff (wired) and one for guests (the wireless points), the purpose being to ensure that no user in one group can access any user’s device in the other 2 groups. I’m assuming VLAN is the method for this.

To me, the above means separate subnets as well as VLAN's.

Having never worked with multiple VLAN's and a single subnet I have to wonder about interconnecting the switches.

I'm not sure how you'd configure the uplink ports on the switches. If the router is not VLAN capable, you can't create a "trunk" port on the switches. Even if the router is VLAN capable, if you can't assign a LAN port on it (the router) as a trunk port, how could you set the switch ports to "trunk" and have it work?

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#6
June 13, 2012 at 14:55:46
We have had this conversation before :-) You only do vlan and subnetting on large networks not tiny ones like this one.

No trunking required. Each switch connects to the router. The port in the switch that connects to the router has all vlans on that port that are configured in the switch. This allows all vlans to have internet access.
Allows all connected devices to get dhcp ip from the router via the vlans
Connected devices can only talk to their vlan and internet and not each other.

This is a standard SOHO setup in my neck of the woods.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#7
June 13, 2012 at 15:01:48
Thanks, wanderer - that seems clear now.

Report •

#8
June 14, 2012 at 07:26:11
You know, I have two 24 port L2 switches at home and I've played around with VLAN's on them. But I'm so used to doing separate subnets in each VLAN I never tried a single subnet on them. I think I'd better.........LOL

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#9
June 14, 2012 at 09:44:49
I have a netgear vlan switch at home since we have a rental cottage in the back I provide internet to. Didn't want the tenent to access my home network. Single subnet for all and it works like a charm.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#10
June 23, 2012 at 09:44:41
Thanks again for your replies. I've now installed a GS105e for the office network and a GS724TP in a separate location for the staff/guest network, each linked to the router.

Elsewhere, I have been advised that the separation scheme I outlined won't work with a DG834 router, and that I need to add a firewall, such as the FVS318G or FVS336G between the router and the switches.

Do you agree with this - and if I install such a device, do I still need the GS105e, which only has the two office PCs and the printer attached?


Report •

Ask Question