VLANs or routing

October 20, 2010 at 03:15:42
Specs: Macintosh
Hi all,
I'm helping out a small organization that provides language classes for adults. They have about 20 computers all in one LAN sharing one internet connection. Gear so far is an ADSL router and a couple of switches to tie it all together. The computers are just your regular rather old Windows boxes.

They have three classrooms with computers and one office space with three administrative computers, all on the same LAN (10.0.0.0/24). They would now like to separate out these four rooms so that the administrative part is separated from the classrooms and each classroom is separated from the others too, all the while preserving the shared internet connection. With "separated" I mean inaccessible.

I've been looking around and it would seem to me that there's multiple possibilities so I was wondering which one is best: add a router to each of the rooms and just subnet into 10.0.0.x, 10.0.1.x, 10.0.2.x etc., or add a VLAN switch and define four VLANs?
Am I correct in thinking that if I add routers and start subnetting I will still be able to ping across networks, but with a VLAN I won't? Is there any any reason I would prefer one over the other? The organization is very small and money is tight so I was thinking that might be a reason for choosing a particular option? Is one more secure (hacks, viruses, etc.) than the other?

Thanks,
Vincent


See More: VLANs or routing

Report •

#1
October 20, 2010 at 07:13:00
I suspect your least expensive option would be to use separate subnets and routers. SOHO routers are fairly inexpensive (at least compared to managed VLAN capable switches) and would do the job for you.

Am I correct in thinking that if I add routers and start subnetting I will still be able to ping across networks, but with a VLAN I won't?

You're half right. If you use routers and subnets, the only way you would be able to communicate between subnets would be if you explicitly created routes between them. Say you have two subnets: 10..0.0.0/24 and 10.0.1.0/24 with a router in between. They can't communicate unless you make a route: 10.0.0.0 <<>> 10.0.1.0

With regard to VLAN's, yes, separate VLAN's can't communicate with each other.

If money is tight and you have some older computers kicking around, or have access to some older ones cheap/free, and you know Linux or UNIX, you could use those as routers.

If you can afford SOHO Routers then click on my name above in my response and read my "how-to" guide on "adding a second router" for info on how to connect them correctly. In this case you'd need to use the "LAN to WAN" scenario.

You would require one SOHO Router per subnet (room) and another at connected to your internet with at least 4 LAN ports.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
October 20, 2010 at 07:22:04
You will need 5 routers, one for each room and one for the internet connection as well as switches in each room since you exceed 16 ports [4 ports per room when you need 5]

By the time you add up the cost and overhead, a managed 24 port switch is the way to go as well as vlans are more secure imo then ip subnetting.


Report •

#3
October 20, 2010 at 09:11:57
Great, thanks guys, looks like I'm on the right track. I figured that at after a certain number of routers a managed switch would become a more cost-effective method.
Just a quick follow-up question for the dedicated: there must be routers with more than one interface, no? Isn't there a router I can buy for this situation which has 4 interfaces, each of which I can assign a different subnet to? Or is that just going to push my costs up way more?

Ah yes, also: isn't a router going to find a path by broadcasting even if I don't define a route between subnets? Or maybe the link between routers isn't part of the broadcast domain huh?

Curt R, I'd already read your how-to, very interesting read. I'll definitely stick around here.
Tnx again guys.

Vincent


Report •

Related Solutions

#4
October 20, 2010 at 10:07:32
I figured that at after a certain number of routers a managed switch would become a more cost-effective method.

That depends on a couple of things though.

1) Can you find one you can afford? They're not cheap and chances are you'll have to buy an older used managed switch and there's no way to know how long it will last, if it even works out of the box. It goes without saying a used switch has no warranty.

Here's an example of what you would have to deal with buying a used switch:

We have some older Cisco switches kicking around here at work. I could pick one out, default it's config, test it to ensure it's working properly. I could package it correctly but there's no guarantee it would reach you in working condition and to be honest, I wouldn't care if it didn't, it was working when I shipped it. You would have paid in advance and I would not refund your $$$ because the bill of sale would have said, " Sold to [your name] one used, as is, Cisco 2900 XL, 24 port managed switch....etc etc

So this is the risk you take buying used equipment. You might find a seller that will guarantee it and if you go that route (ie: buy a used switch) then I would recommend you only do business with someone that will guarantee it.

We don't use low-end managed switches here so I have no idea what one would cost used. I do know our 48 port, 1000 Mbps switches run around $5,000.00

2) Do you know how to configure/maintain a managed switch?

If you buy a used Cisco, it's no good to you if you don't know the Cisco CLI (command line interface) and how to properly configure it.

You could buy a used, or new, switch that isn't Cisco and comes with a nice GUI management interface, but again, you'd still have to know what you're doing and, you'd still require a router to allow you to route between subnets/VLAN's.

I'm not saying don't go that route.....personally, I would. But then I'm a network technician by trade and I'm all too familiar with VLAN tagging, subnetting, routing, and experience configuring multiple different brands of switches.

Isn't there a router I can buy for this situation which has 4 interfaces, each of which I can assign a different subnet to? Or is that just going to push my costs up way more?

Yes there are, but again, you'd have to buy new or used. I would do some pricing online. There are plenty of used network appliances for sale. I would look for a company the sells all network appliances and guarantees that at least the equipment will arrive in working order.

Again, the "do you know how to configure the device" issue comes into play. If you do, you're laughing, if you don't, then you have to learn or hire someone who does.

A SOHO Router is something you could figure out all by yourself.

Again, if you know Linux or UNIX, you could use an older PC with enough interfaces for each connection and the OS of your choice (linux/unix). You can buy multiple NIC cards......you'd need a quad (4 ports) at the least for each subnet and one more for the internet connection.

Ah yes, also: isn't a router going to find a path by broadcasting even if I don't define a route between subnets?

You have to define a route between subnets on a router in order for those subnets to speak to each other.

example:

You have a Linux box with 5 NIC's.
eth0 = external connection that goes out to internet
eth1 = VLAN 1 - 192.168.1.0/24
eth2 = VLAN 2 - 192.168.2.0/24
eth3 = VLAN 3 - 192.168.3.0/24
eth4 = VLAN 4 - 192.168.4.0/24

VLAN 1 and VLAN 2 cannot communicate with each other as they stand since they're in completely separate subnets.
VLAN 1's broadcast address is: 192.168.1.255
VLAN 2's broadcast address is: 192.168.2.255

Both can only broadcast within their network (subnet).

In order to allow communication, you'd have to establish a static route between the two VLAN's (subnets) within the routers routing table. Essentially it would look as follows:

192.168.1.0/24 <<>> 192.168.2.0/24

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
October 20, 2010 at 10:32:44
KISS = keep it simple silly
Does not appear we are keeping this concept in mind with vlans and routing combined for 20 pcs.

You can expect to pay between $100 and $500 for a managed switch. If buying used and online you can buy the additional warranty most offer.

Or consider something even simplier which is two routers and a 16 port unmanaged switch. All you would have to give up is the requirement of the classrooms being isolated from each other.

internet<>router1<>16 port switch<>classroom pcs
internet<>router1<>router2<>administration
Router2 would be in a different subnet than router1


Report •

#6
October 20, 2010 at 12:08:08
Funny you should mention the above setup wanderer

I was actually thinking along the same lines myself.

Some years back I did a pro bono job for a group who helped people with handicaps get training, or to retrain in the case of a workplace injury.

Anyhow, they had two labs and a separate admin area. The one lady had talked with her hubby who was a professor in the Comp Sci program at the University in the city. He had advised separate subnets for everything. In the end I talked her into separating only the admin portion.

This worked quite nicely and I suspect the same setup would work equally well in this situation.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
October 21, 2010 at 02:23:54
That's really cool guys, thanks again. Only separating the admin part does make a lot of sense. That was actually my first suggestion for them but for some reason separation seems to be really important. KISS-wise I'll definitely lobby for this solution again though. Time to start shopping and implementing now. I'll get back here once it's done and let you know how it went. Thanks!
Vincent

Report •

Ask Question