Help with network setup

[cat1847]

Hi everyone,

I have been asked to set up a small network (14 users). They should all be able to access the internet, but I do not want them to see each other. The budget for this project is fairly low and I would like to get this done as cheap as possible.
Network layout
cable modem----cheap router-----switch---users

I was wondering if I could get this done with a managed switch. At no time should the users be able to see each other.
The bandwidth usage on on this network is minimal.

Thanks in advance
CaT

 

[LawnBoy]

How many IP addresses will you get from the cable provider?

Define what you mean by "see each other". If you don't want to use windows sharing then don't. If you mean that you want to prevent any pc from connecting to any other pc regardless (on your LAN) you will need a layer 3 switch, and then you will have to configure each switchport with the routing rules to prevent it.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[cat1847]

I guess I should have worded that different. The pc's cannot access each other, but have access to the internet. I assume from your comment that a layer 3 switch should work.

I guess I will ask another question, Is programming a layer 3 switch very hard to do?

About the internet ip's I am only using one. This is for a small assisted living center, they are on a tight budget.
I just felt there was a real security problem with connecting all of the residents to a "dumb" switch because they would be able to access each other's pc if they had file sharing turned on.

Thanks for your comments,

CaT

 

[LawnBoy]

I think trying to do this would be a nightmare. If you don't want the users to have filesharing, then simply turn it off on each pc and don't give the users administrative access.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[cat1847]

Thanks for the comments.
I am going to have to think about this. I really won't have access to the tennants pc's. I may just suggest for them not to provide internet and let the tennants purchase dsl for their rooms if they want.
Again thanks for your comments.
CaT

 

[LawnBoy]

Besides, a layer 3 switch is going to be expensive. Ports are usually sold in groups of 12, so you would need a 24 port switch.

Cisco has a 24 port layer 3 switch, the Catalyst 3560, which would probably do this job. Price is around $7000. Other switches might be a better fit, I'm just using this as an example of the kind of pricing you're looking at.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[brianinms]

I am not sure where lawnboy is getting his prices, but a Cisco 3560 24 port is well under 3 grand. However all you need is a Cisco 2960 which around 600 dollars. You merely use the "switchport protected" command under the interfaces you want to block traffic between.


WS-C2960-24-S

 

[cat1847]

Thanks everyone for the feed back. Brian I will check out the availability of a Cisco 2960. Brian how hard is it to program of of these switches.

Thanks again to everyone for your help.
CaT

 

[cajuntank]

Sounds like your doing this for a small apartment/housing setting. I would look into an appliance from a manufacturer called Nomadix. This is the appliance used by Hampton/Hilton hotel and is designed for just that type of setting.

http://www.nomadix.com/products/

If I remember correctly, the price point on their appliance was very affordable in the smaller models.

Hope I could help.

 

[cat1847]

Thanks
Ill check them out
Cat

 

[LawnBoy]

I just googled it and took the first price I found.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[cat1847]

everyone,
this is how I did it. I bought a Alix wrap board. It has a 500 mhz amd processor on board and it has 3 nics, One for the wan, one for the lan, one for opt1 interface. I instated pfsense on it. Then I configured 14 vlans on the opt1 interface and then connected a layer two switch with the ports programed for the vlans. I have a dhcp server running on each vlan. So everyone is in their own ip subnet and they cannot see each other.
At the moment it is working fine.
Thanks
CaT

 

[BAsh12]

You need dot1 q in dot1 q tunnels.

In essence, a switch that you can have a single VLAN however, each port is private.

Cisco can do this and so can some HP, with HP you will need a premium licence.

 

[cat1847]

Thanks for the information. But I did get it to work. I only needed 14 isolated ports and I was able to get this done with pfsense and a HP procurve 1700. The reason for this set up was for cost. I was able to get it done for about 350 dollars. 200 for the wrap box and 150 for the hp procurve. PFsense is open source and a very good firewall.
I doubt that I could touch a cisco switch for this.
Thanks for the feed back.
CaT