How to Isolate network users in a shared office space

By CalgaryTech ·
I know this is a topic that's been discussed many times in various ways, but each and every case is so different that I couldn't find a solid answer...

I'm (re)networking an office where about 50-60 individual users share the internet. The users have no relation to each other (sort of like at an airport, except each user is wired). Currently the office is setup with unmanaged switches and a RV042G gateway/router (which does failover on the WAN). This setup is obviously causing issues with reliability, bandwidth, security, malware, management, and overall legal reasons; because I have no control over any of the individual workstations. They don't belong to the office, only the network does.

The goal is to isolate each user/switch-port from each other, while still allowing a single DHCP server to serve them all. Many of the users have laptops so static IP's are not an option.

I'm thinking of installing switches such as Dlink DGS-1210 and giving each port an untagged VLAN. Then setting one port on each switch tagged and that port connects to the router.

However, I DON'T want to have to setup an individual subnet and DHCP range for each vlan. Furthermore, I can't see anywhere that the DGS-1210 's have an iphelper of any sort.

How can I make this work with a limited budget?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by CalgaryTech In reply to How to Isolate network us ...

I found my own answer. Hopefully this helps others in the future....

Turns out the feature I'm looking for exists in some switches. It's generally called "Protected Ports". But it's only offered in Cisco and HP Procurve switches (and not the cheap ones).

However, DLink has a feature they call "Traffic Segmentation". I read about it here:

It's essentially the same as "Protected Ports" in Cisco and HP ProCruve Switches, except that it's offered on switches as cheap as DES-1100. However, I also need some extra security features such as DHCP Screening (to prevent rogue dhcp servers), so the cheapest switch which offers Traffic Segmentation AND DHCP screening is the D-Link DGS-1210, which coincidentally was my first hope.

Now why "Traffic Segmentation" isn't better documented, who knows. A user could save thousands in switch cost, or hours of configuration with that simple feature. Thanks Dlink!

Collapse -

Reponse To Answer

by CG IT In reply to SOLVED

I've never run across a scenario where each client connected to a switch switchport must be isolated from every other client connected to the same switch. Now most networks use switchport security by MAC, and use VLANs to segment via corporate structure, or special areas, even use separate internal networks not connected in any way to any other internal networks, but not segmenting individual switchports on a switch from every other switchport on that switch.

Collapse -

Reponse To Answer

by CalgaryTech In reply to SOLVED

These scenarios come up all the time in situations such as schools, hotels, executive suites, rental properties, condominiums, libraries, etc. Security by MAC doesn't really work when every device is a guest. And of course network segmenting via VLANs and/or expensive equipment and/or complex structure are usually how it's done, however, I felt that there must be an easier, cheaper way... and turns out there is.

Collapse -

did netgear offer that option

by markp24 In reply to How to Isolate network us ...


just looking at cost, I know netgear prosafe series switches offer advanced (small office) capabilities with vlans, "isolation" options, etc
FS752TP offers Protected port features.

Let me know if that was what your were looking for.

I wish i saw this earlier.

Collapse -

Reponse To Answer

by CalgaryTech In reply to did netgear offer that op ...

The particular switch you mention does seem to have the features I require. Netgear calls them "Protected Ports" and "DHCP Filtering". However that switch is 10/100, and that's the reason it fits into the budget I'm after. They do have some more expensive switches with the features I'm after, but the naming seems to change a little in the newer switches, but more to match Cisco and HP so that's a good thing (ie. "DHCP Snooping").

I was hoping for gigabit connectivity on all ports, DHCP snooping, and Port isolation at a good price, so the Dlink DGS-1210 wins hands-down.

Also, my personal experience (as an IT professional) is that Netgear has really buggy firmware, so I generally try to stay away from Netgear, at least for managed equipment. Again, just personal preference.

I will post again after setting up the Dlink switches to provide a review.

Collapse -

Reponse To Answer

by markp24 In reply to did netgear offer that op ...

Thank you for the update and information, That's good to know, I don't have much experience with D-link, but may look into it in the future, I have mainly used Cisco (Linksys) and Netgear, but on the netgears I have flashed there home routers out for tomato or dd-wrt firmware (seems to fix the stability issues) (but you should not need to do that with a product to make it stable ) :-)

Related Discussions

Related Forums