Mar 4, 2010
Hi all,

I have the following network appliances to setup my network:

1 x 24p Cisco 3560
1 x 24p Cisco 2950T
1 x 8p Cisco 2960
1 x Firewall Zyxel USG300 (gateway to internet)

I have to isolate the production environment (15 Windows computers) from the rest of the LAN (20 computers between sales, staff, accounting, etc.). I have one SBS 2003, and I need to create a domain for all the network. How would you isolate these 15 computers?, do I have to use two different VLANS?, the isolated machines needs to get access to the SBS2003 to join the domain, and also to the Firewall/gateway to get internet access. We've received all the Cisco switches from a different company.

Any hint/advice would be greatly appreciated

Thanks a lot



Jun 14, 2010

Take note that I haven't read about your switches. I take it that all of them can do VLANs.

Here is how I would set it up :

Cisco 2960 ---- Cisco 3560 --- LAN
Cisco 2950T

The firewall acts acts the firewall/Gateway
The Cisco 2960 acts as the main switch. You will need to enable VLANs and make the two other switches on different VLANs. Lets say production on VLAN1, and the rest on VLAN2. That switch will also enable you to add more PCs in the long term. If you need more ports, just add some more switches on that one.
The other switches just acts as .. well.. switches ;)

Now the fun part. I would place the server on your LAN network, which makes the server on VLAN2. Now enable the routing on the switches, and just route packets from production to SBS, and SBS to Production. This will enable the packet to find their way to and from the SBS without having the rest of the LAN "see" the production environment.

An other idea would be to use different subnet for both environment and use the route the same way.

I hope this helps :)