A router connects subnets. To do this it takes an ethernet frame, unpacks the IP (layer 3) packet within it, works out what to do with it, repackages it up into a new ethernet frame and sends it out another interface to the “next hop”. This consumes a fair amount of computing resources – routing is much slower than switching. An important point is that a router, even with gigabit physical interfaces, cannot perform the routing at anywhere near this speed.
Imagine that your practice is segmented with 2 switches:
- The main network : Computers and the server connected together with a 10 port switch. Network address 192.168.0.0 255.255.255.0 (devices IP addresses between 192.168.0.1 and 192.168.0.254
The default gateway is the router R1 at 192.168.0.1
consider a computer C1 at 192.168.0.10
- The imaging network : The OCT machine and other imaging devices connected together with a second 10 port switch. This network 192.168.10.0 255.255.255.255
The default gateway is a second port on the router with address 192.168.10.1
consider the OCT machine O1 at 192.168.10.77
So if C1 wants to see O1, it first checks whether the device is in the same subnet. It isn’t in this case so it sends the frame to the default gateway R1. R1 knows about both subnets so it routes the frame to O1 on the second subnet. Replys from O1 back to C1 do the same process in reverse.
We have now segmented the network. We have not yet made it much more secure though. If we had an insecure device – say a telnet client O2 at 192.168.10.55 , it could still be reached from an intrusion (eg virus) on the other network segment at 192.168.0.5 . The router will send our information from one network to the other and back again. All we have stopped is a virus scanning for open services on the other network. For this to be a security measure, we need to filter (or firewall) what goes from one network to the other.
Most people think of a router as synonymous with a modem. Indeed, the internet connection we have at home or office is in fact both a router and a modem. The router routes the packets from our private network to the outside world. The difference between this and the previous example above is that it does something special as well called network address translation or NAT.