Problem solve Get help with specific problems with your technologies, process and projects.

Creating a sub-network

Advice for creating a sub-network.

This tip is in response to a member question posed to our expert Chris Partsenidis. Here's the original question submitted to Chris: I am new at this networking and I would like to know if the following can work. We run Window 2000 at work and want to have a computer in the plant attached to the main network, but we have three CNC machines that we want to network to that computer without connecting them to the main network. Can two network cards be added to the computer in the plant and attach it to another hub to link the CNC computers together?

Here's Chris' insightful response:

Let me first warmly welcome you to the exciting world of networking! The journey is endless but there are plenty of people and sites (like ours) to help you along the way!

You will be most pleased to know that there surely is a solution to your problem. There are many ways in which you can attach the Windows 2000 computer to the main network, while at the same time connect the three CNC machines to it, but limit or deny their access to the main network.

Since I have no idea about your network infrastructure, I'll share with you a few ideas and you can then pick the one that best suites your needs and can be easily adopted in your network. At the same time, because you're new to the networking world, I won't go into much detail to avoid confusion and frustration. If you understand and like one of the solutions, you can then research its implementation!

1) The quick and dirty way :)
Main Network--------WIN2000-------Switch===3 CNC machines

As you suggested, you can add a second network card in the Windows 2000 PC, connecting the first one to the main network, while the 2nd network card attached to a switch where the other three CNC machines connect to. This is a quick and perhaps the cheapest solution to get the job done.

There are however some concerns which you should be aware of.

  • Security. You stated that you do not wish the three CNC machines to access the main network. For the above setup, this translates to disabling IP routing on your Windows 2000 machine. Secondly, because Windows 2000 itself is not considering (nor is it) a secure machine, you will need you make sure the machine is locked down, so prevent other people from 'trying' to access the 3 CNC machines. In the case the Windows machine is compromised, and then the road towards the 3CNC network is wide open!
  • With the above in mind, seriously consider an antivirus, plus some type of personal firewall that will work the way you require, to secure the Windows 2000 box. Keep in mind that Windows 2000 also allows a basic type of IP filtering (accessed within the network adaptors TCP/IP properties), so you might want to consider this addition as well.

    2) The cool way!
    Main Network-----Win2000---firewall----switch==3CNC machines

    This method is by far more secure than the first. The physical setup is more or less the same, but with an additional firewall between the Windows machine and the switch.

    By inserting a firewall at this point, you have the following advantages:

  • You can decide what traffic is allowed to and from the 3CNC 'network'
  • You can optionally log all traffic
  • Full reporting by the firewall
  • More robust solution, but also more administrative overhead

    Again, the solution you implement all depends on how serious you take network security and how much it applies in your situation.

    As a firewall, I would strongly suggest a Linux operating system, e.g. Redhat or Fedora. Using the IP Tables (packet filtering for the Linux operating system), you can do wonders! I actually use such equipment to control and monitor our main production line which consists of a five server Oracle e-business farm. The cost is minimal and the results are very close to similar 3rd party software that cost thousands of dollars.

    3) VLANs – The high tech way!
    VLANs are simply awesome and today's standard for any modern and 'cool' network :)

    With VLANs you actually are able to create separate logical and physical networks, using the existing network infrastructure, securing your network and providing you flexibility that not many other solutions can.

    We won't analyze VLANs here, but there are some really great white papers (one of which I wrote last year) that will give you an overview of what VLANs are and how you can use them to transform your network into a multi-layered, flexible and secure playground!

    At the time of writing this article, I am also analyzing the VLAN topic in much depth on my site (, so you might want to visit it in a few weeks if you want more information.

    Coming back to this solution, following is what the physical setup would look like:
    Main network-----VLAN_Switch----Win2000
    3CNC machines---------|

    As you can see, the Windows 2000 and 3CNC machines plug into the same switch. Using the VLAN switch, you are able to route packets from the 3CNC machines to the Windows 2000 machine, and at the same restrict access between these four machines by using access-lists (similar to the packet filtering we spoke about).

    Of course, the leader in such cool setups and equipment is Cisco! You can visit their site and look at the VLAN capable switches. These include the Catalyst 2900 and 3550 series, the 2nd one also being a 3rd layer switch (you would need this if you wish you use access lists).

    In closing, I would simply like to note that the method or approach you would want to use, should have as a guideline, how important these 3CNC machines are and to what extent you must go to protect them. Then of course there is the costing issue.

    Take a look around, consider the options and make your decision!

  • This was last published in April 2004

    Dig Deeper on Campus area network

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.