1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Switch Or Hub??

Discussion in 'Networking Issues' started by WirelessInn, Dec 1, 2006.

  1. WirelessInn

    WirelessInn LI Guru Member

    Ladies & Gents,
    Here is a schema of what I am trying to do.
    I have 2 bldgs - BLDG A with Sat Internet Connection, BLDG B with my retail commercial setup: Office Computers (MainOfficeComputer "MOC and SecondOfficeComputer "SOC" JUST ADDED) and several PointOfSaleComputers. MOS, SOC and the POS computers are networked via a LAN thru a HUB. MOC and SOC dedicate each its NIC #1 to that LAN on a 192.168.1.xxx subnet. The Internet Connection feeds into MOC and SOC via each its own NIC #2 (on 192.168.0.xxx). I have separate networks in order to avoid putting all computers on the same network. At point *, I understand that it is better to have a switch (or a router?). ANy idea what type/model switch (or router?)? Linksys OK - I am familiar with the company's way to do things!
    Thanks very much - I hope this is clear enough!
    - Roger T
     

    Attached Files:

  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Great picture. Makes it super easy when someone takes the time to frame their question carefully with a diagram!

    The answer, as you guessed it, is it depends.... If you want free communication between Bldg A and Bldg B ...ie: there are no security issues that would preclude nodes in Bldg A from initiating connections to nodes in Bldg B (and vice versa) then there is no requirement for a router/firewall at point "*" in your diagram. You have nicely separated your network into two IP subnets with the PCs with 2 NICs in them and a switch would do nicely. You don't want a hub since it will not segment the network at the physical layer and you will have unnecessary collisions and the potential for bottlenecks in that part of the network. Hubs are decidedly an old school solution in modern data networks unless you have a compelling reason for them, for example if you have older equipment that won't properly negotiate speed and duplex. BTW, I'm making one other assumption: the PCs with the 2 NICs are simply packet forwarding between the two subnets, 192.168.0.0/24 (Bldg A) and 192.168.1.0/24 (Bldg B)

    If, on the other hand, you are concerned about security (haven't asked you, for example, if you have wireless security...WPA or WEP on the bridged wireless between the buildings) and if (I know, another "if") you want to control flow between the two buildings you will need a router/firewall. The problem with this approach is a) you will have to orient the firewall such that it will block the traffic one way vs. the other and (this is a big and), you will have to create another subnet at the "*". It doesn't sound like this is the case, though. I am assuming that you have full control over the spanned network between the buildings so a switch would do very nicely. It doesn't even matter what brand, though I would highly recommend a 5 or more port Gigabit Ethernet switch to future proof your network both for speed and port density.
     
  3. heidnerd

    heidnerd LI Guru Member

    In general:

    Avoid hub's. If that is what you really have it might be time to replace it. Very insecure - it is easy to add a connection that will capture traffic from ALL nodes -- and provide an easy avenue for a hacker. On hubs traffic on any port is sent immediately to all other ports. Thus if you have several very busy devices talking to each other - they can busy out the hub for the rest of the devices. Hubs tend to be old technology -- late 1990's.

    Switches - generally connect only the ports that are actively talking to each other. Managed switches add the ability to monitor port traffic on each port, break up a switch into multiple virtual lans (i.e. 24 port switch could appear as two 12 port switches on different networks) Switches pass virtually all traffic... no filtering of hack attempts. Linksys SRW224G4 is an example of a managed switch. Managed switches cost a little bit more than unmanaged switches - but they give you much more control of your network.

    Routers add a "network packet computer" in between Wide Area Network (WAN) port and an internal LAN port. Network packet traffic is (can be) inspected for simple network activity exploits. Routers allow you to hide your internal network from the rest of the world. Most routers also have the ability to redirect inbound traffic for specific ports (such as mail and web) to designated ip addresses that perform the functions such as web servers. The better routers often include a Virtual Private Network (VPN) server features that allows you to connect multiple network systems to each other in a secure manner, i.e. traffic between the two nodes would be encrypted and secured.

    Most companies offer routers that combine both the functions of the router, vpn server and a switch. Linksys wired versions of such a product are the RV016, RV042 and RV082... (there are more out there...) The WRT54G such as you have is a good example of a wireless product that combines multiple features.

    In designing your network - you may first want to think about creating multiple islands of security, then look into what it takes to create the islands, and finally chose the mixture of switches, routers, vpn servers, etc, that you will need. Within your environment as described above, you may want small managed switch in both buildings - with VPN servers connecting the two buildings together. And an additional router to allow access to the internet. The managed switches would allow you to create security islands within the one building that would be isolated from each other but they could talk to the building with the point of sales boxes.
     
  4. WirelessInn

    WirelessInn LI Guru Member

    Thanks for the comments, Eric. A few questions:

    ******The answer, as you guessed it, is it depends.... If you want free communication between Bldg A and Bldg B ...ie: there are no security issues that would preclude nodes in Bldg A from initiating connections to nodes in Bldg B (and vice versa) then there is no requirement for a router/firewall at point "*" in your diagram.*******

    By NODES you mean what exactly in this case, especially in regard to "initiating connections"?

    ******* You have nicely separated your network into two IP subnets with the PCs with 2 NICs in them******

    I did this simply because I wanted my commercial LAN to be unaffected by the Internet connection activity (thus different networks, subnets and NICs, instead of all HomeOffice AND commercial computers on same network/subnet). I have to specify that from my HomeOffice Sat Internet Connection/Wireless Router, I also allow our company's Bed & Breakfast Guests to use that capability (this is not indicated on my schema!) A very localized - and WPA encrypted - Hotspot of sorts. SO, I certainly did not want the Internet access activity to affect even see the commercial LAN. And in fact, from the HomeOffice wireless connecting computers (both my HomeOffice's and Guests'), one does not see the Bldg B computers. A little crude probably but perhaps secure enough?

    ******and a switch would do nicely. You don't want a hub since it will not segment the network at the physical layer and you will have unnecessary collisions and the potential for bottlenecks in that part of the network.******

    That's where I get lost! I.e. the difference between switch and hub and their capabilities (outside from the fact that the former acts like a modern private party based phone system, while the latter looks more like the party lines scheme of yore!) So, just plug in and CAT connect computers to the switch, and presto one gets a better, more efficient connectivity than via a hub? What about the "Managed Features that many switches advertise? Needed at all in my configuration?


    ******* BTW, I'm making one other assumption: the PCs with the 2 NICs are simply packet forwarding between the two subnets, 192.168.0.0/24 (Bldg A) and 192.168.1.0/24 (Bldg B)********

    Please excuse me for making perhaps un-technical comments: in this case, I actually have made no efforts to establish any communication between the two subnets. In other words, MOC and SOC go about their POS LAN activity via NICs #1, while accessing the 'Net via their NICs #2 (Note: of course, Point of Sale computers do not need Internet access). No forwarding I believe. From HomeOffice - whose Workgroup does NOT include MOC or SOC, I access files on MOC and SOC only via pcAnywhere: I do not see MOC and SOC shared folders from HomeOffice computers.

    *******If, on the other hand, you are concerned about security (haven't asked you, for example, if you have wireless security...WPA or WEP on the bridged wireless between the buildings) and if (I know, another "if") you want to control flow between the two buildings you will need a router/firewall. *******

    I run WPA from the WRT54G at HomeOffice, thru the WET54G bridge.

    Thanks again!

    - Roger T
     
  5. WirelessInn

    WirelessInn LI Guru Member

    Swirch or Hub??

    heidnerd, Thanks for the prompt reply; i am still new to the denser sectors of networking (I am looking at VPN, and finding out for example that Sat Internet does not do VPN very well, on account of the latency issue...)

    A few questions:

    **********Switches - generally connect only the ports that are actively talking to each other.*******

    So, in my case, installing a switch at * provides that type of more efficient data transport with no further ado. Just like dropping in a hub?

    ******* Managed switches add the ability to monitor port traffic on each port, break up a switch into multiple virtual lans (i.e. 24 port switch could appear as two 12 port switches on different networks) Switches pass virtually all traffic... no filtering of hack attempts. Linksys SRW224G4 is an example of a managed switch. Managed switches cost a little bit more than unmanaged switches - but they give you much more control of your network.*******

    Indeed, I was just looking at the data sheet for the SRW224G4 on linksys.com. Complex capabilities indeed: I do not believe that I understand all the terminology and methodology involved in managing data traffic thru such a switch!

    *******Routers add a "network packet computer" in between Wide Area Network (WAN) port and an internal LAN port. Network packet traffic is (can be) inspected for simple network activity exploits. Routers allow you to hide your internal network from the rest of the world. Most routers also have the ability to redirect inbound traffic for specific ports (such as mail and web) to designated ip addresses that perform the functions such as web servers. The better routers often include a Virtual Private Network (VPN) server features that allows you to connect multiple network systems to each other in a secure manner, i.e. traffic between the two nodes would be encrypted and secured.********

    i have a WRT54G router following the Sat Internet Modem. So it seems that all I am trying to do at this point is "split" the incoming internet connection at * efficiently between MOC and SOC.

    ********Most companies offer routers that combine both the functions of the router, vpn server and a switch. Linksys wired versions of such a product are the RV016, RV042 and RV082... (there are more out there...) The WRT54G such as you have is a good example of a wireless product that combines multiple features.*********

    Interesting you mention VPN. Actually - and this is not indicated on my schema - I also make the wireless connection available to Guests at the Bed & Breakfast I operate in an attached building. So, in short, Home Office provides a bridged Internet connection to MOC and SOC, as well as Wireless Internet access to the B&Bs guests, on a limited, reasonable basis. WPA is in place throughtout the wireless system, and we have pnly 8 rooms! Nevertheless, Guests are frequently asking about VPning their offices!

    *********In designing your network - you may first want to think about creating multiple islands of security, then look into what it takes to create the islands, and finally chose the mixture of switches, routers, vpn servers, etc, that you will need. Within your environment as described above, you may want small managed switch in both buildings - with VPN servers connecting the two buildings together. And an additional router to allow access to the internet. The managed switches would allow you to create security islands within the one building that would be isolated from each other but they could talk to the building with the point of sales boxes.********

    "Security Islands": you'll have to expound about this a bit, if you do not mind! Something along the lines of my effort to keep the commercial LAN [MOC, SOC, PointOfSalesComputers] separate from Internet access activity and traffic?

    Thanks for all the help!
    - Roger T
     
  6. heidnerd

    heidnerd LI Guru Member

    I'll start with the last question first.

    When thinking of a security island consider your B&B. Each one wants to see the internet - but I doubt that any of them wants to be able to see or be seen by other B&B guest. Likewise you would problably prefer that the B&B guests only see the internet and not your Point of Sales machines.

    So you would really like to put each of the B&B guest on their own island in which they think they have the only connection to the internet. You can do that with virtual LAN's or VLAN. With a router/switch combination you would assign each port on the switch to be a unique VLAN, i.e. VLAN1, VLAN2, VLAN3, VLAN4...

    Switches provide the same functionality as a HUB - but they fix some of the nasty problems that HUB's introduce. With HUB's all traffic on a port is sent immediately to the other ports. Think of an eight lane highway that has an + intersection in the middle with another eight lane highway. With a HUB it is a free for all -- no traffic control officer to ensure that packets move smoothly. But with a reasonable switch (even $30 ones) the highway intersection becomes magical - the lanes stack and cross over each other as necessary and connect magically when cars decide they want to turn right or left. Every car driver thinks they have the whole highway to themselves.

    Using two network cards in a Windows PC is okay - but simple mistakes in the network configuration can result in your POS devices making their data available to computer nodes in all buildings -- and possibly via the satellite connection. Or conversely it may be that anyone in the B&B could see transactions on the POS.

    If you have very sensitive information crossing the wireless network between two buildings -- and you are in a densely populated area... the combination of the WRT54G and the WET54G may not offer much protection of information. This is also where a vpn could come into play. You would setup the wireless nodes on both buildings to connect with a WPA connection and then secure the information flowing between the buildings by sending through a "vpn tunnel". That way even if someone could eavesdrop and monitor your wireless connection they could not easily crack the packets and see the data content. This can be very important with WEP since it can be cracked easily and even some forms of WPA can be decoded....
     
  7. HennieM

    HennieM Network Guru Member

    Rodge

    The info mentioned here by heidnerd and Eric is fine and true. However, you just want to make 2 ethernet ports from 1 ethernet port, so a cheapie switch at * will do just fine. You can go for an 8 or 16 port unmanaged switch such as the SMC-EZ6516Tx (which has worked for me for a number of years). Look at 8 or 16 ports rather than 3 or 5 ports as you might add more computers close to MOC/SOC later. If you can get a gigabit (1000Mbit/s, instead of the more common 100Mbit/s such as the SMC mentioned) switch it will be better for future proofing as mentioned by Eric.

    Eric/heidnerd
    Roger's 2 nets are intentionally logically seperated - the 2 computers with the 2 NICs at the end of the "internet side" (MOC and SOC) does not route/forward to/from the Point of Sale/Commercial side. The POS side also has its own IP setup with no gateway.

    Back to Roger:
    If you want to look at VPN stuff, a VPN capable router would be more appropriate close to your sat modem. Bear in mind however, that, as your sat modem is controlling your internet connection, you might have to replace it.

    If the sat modem can be configured to "bridge mode", you might be able to have a VPN capable router actually controlling your sat modem and internet connection. This VPN router is then connected directly to the sat modem and becomes the "main man" for internet access. This setup should allow multiple outgoing VPN connections provided that the VPN router does have this capability.

    A VPN router at * would not make sense, as:
    1) the sat modem and WRT in BLDG A still would allow only 1 VPN passthrough.
    2) it means all internet traffic has to go over the wireless bridge and back again to the sat modem to get to the internet.
     

Share This Page