0

We have a kind of granulated network structure. At the moment I have two network adapter connected to my system for two of the network areas. The Systems in network A and network B should not communicate to each other. For DNS I got a solution which works via search domains.

The Issue now: What happens if network C or later network D needs to be connected? I don't want to connect another network adapter for each network which I want to access. What I would prefer, is a solution with a managed switch, but I am not completely sure if this is the right attempt.

If it is the right attempt I imagine something like this:

  • Managed Switch with each network attached
    • the networks aren't able to communicate to each other
  • One port for my client system.
    • this port is the only one which is able to communicate to all other ports
  • maybe a second port which can communicate to the other ports for a DNS server?
    • Is this necessary or can I handle all the DNS-Server on my client system?
Improve this question

1 Answer 1

Reset to default
2

That what VLANs are for. VLANs partition a physical switch (or a switching structure) into multiple, virtual switches. Devices on different VLANs cannot communicate with each other on the data link layer.

Multiple VLANs can use the same physical links by trunking - each frame is tagged with the corresponding VLAN ID. Most often, trunking is only used by switches or routers but with a VLAN-capable NIC/server it can also be extended to end nodes.

A simple example looks like this:

enter image description here

Communication is possible between A and D and between B and C, not between the other pairs.

The blue and green links are simple access type, without VLAN tagging, just association. The red link is a VLAN trunk, shared for both VLANs.

In a more elaborate setup you could have a third VLAN that common services like DNS and perhaps a file server are connected to. On the router/firewall connecting all VLANs you permit communication between VLAN 10 or VLAN 20 with the service VLAN but not between VLANs 10 and 20. The router between the VLANs can be a separate device or just a layer-3 switch with an ACL ruleset.

In any case, using a router in between your separated VLANs allows you to use an arbitrary number of VLANs/zones and control communication between zones on the router.

Improve this answer
2
  • sounds like a valid approach. So the Firewall of the service VLAN has two Options: Either it has network adapters connected to all VLANs or the VLANS are connected via unmanaged switch and the firewall controls access?
    – MaKaNu
    Commented May 5, 2023 at 14:17
  • You cannot use tagged VLANs across an unmanaged switch (properly). You need to use a managed one, with according configuration. Yes, the firewall (or router with ACL) controls access from one VLAN to another.
    – Zac67
    Commented May 5, 2023 at 15:00

Not the answer you're looking for? Browse other questions tagged or ask your own question.